Apple recently patched a critical vulnerability in macOS that allowed malicious actors to bypass the system's privacy controls, known as TCC (Transparency, Consent, and Control), and access highly sensitive user data. Among the exposed information was even cached content related to Apple Intelligence.
The vulnerability, identified as CVE-2025-31199 and dubbed "SPloitLight" by Microsoft researchers, exploited the behavior of the Spotlight plugin to evade macOS's privacy restrictions. By doing so, it became possible to collect detailed user data without requiring visible permissions.
Apple addressed the issue in March 2025 with the release of macOS Sequoia 15.4, incorporating a key improvement in how data is redacted (i.e., hidden or protected) during system indexing. According to Apple, this was a "data redaction improvement" aimed at closing the loophole SPloitLight used to bypass system defenses.
In macOS, the TCC (Transparency, Consent, and Control) system acts as a security layer that prevents apps from freely accessing personal data such as your location, photos, calendar, or contacts. To access that data, apps must request your permission—at least in theory.
However, a team of Microsoft researchers (Jonathan Bar Or, Alexia Wilson, and Christine Fossaceca) found a way to circumvent that control. They discovered that certain Spotlight plugins could be manipulated to execute code with elevated privileges. This allowed malicious apps to bypass TCC protections and access files normally restricted to applications with full disk access.
According to Microsoft, while this attack resembles previous bypasses like HM-Surf and powerdir, SPloitLight poses an even greater risk. Why? Because it can not only bypass local privacy controls but also extract cached data from Apple Intelligence and even remote information from devices connected to iCloud.
In other words, what seemed like a technical and limited vulnerability actually translated into uncontrolled access to highly sensitive data, both local and cloud-based.
The scope of this macOS flaw is far from minor. If an attacker managed to exploit it, they could access a large amount of private information without the user ever noticing. The types of data that could be stolen include:
The user's precise location
Photo and video metadata (such as where and when they were taken)
Facial recognition data and information about people detected in images
Photo albums and shared libraries
Search history and personalized settings
Deleted photos and videos that may still be cached
Remote data linked to iCloud accounts and associated devices
Although Apple described the issue as a mere “logging problem,” Microsoft went further and demonstrated that the bug actually allowed unauthorized code execution and access to critical system components. In other words, it was privileged access disguised as a routine system operation.
Exploitation of SPloitLight (Source: Microsoft)
What’s most concerning about the SPloitLight vulnerability is that it didn’t require the user to do anything at all. Since Spotlight is a core system service, attackers could exploit this flaw without any user interaction, using modified plugins that took advantage of Spotlight’s default elevated privileges.
Even worse, Apple’s privacy framework, TCC (Transparency, Consent, and Control), didn’t even detect the access. That means no alerts, no notifications, and no clear logs. It was a completely silent intrusion.
Read more: New Koske Malware on Linux Hides in Panda Images
This isn’t the first time breaches have been discovered in macOS defenses. Microsoft had previously reported similar flaws that allowed attackers to bypass or compromise the TCC system and other security layers. Here are some of the most notable:
CVE-2020-9771 – TCC bypass using Time Machine mounts
CVE-2021-30713 – Logic vulnerability in package verification
CVE-2021-30970 (powerdir) – Injection of fake configurations into the TCC database
CVE-2023-32369 (migraine) – System Integrity Protection (SIP) bypass for rootkit installation
CVE-2024-44243 – Driver injection through third-party kernel extensions
Each of these flaws demonstrated that, despite macOS's robust architecture, its security layers can still be vulnerable to well-crafted attacks.
Microsoft didn’t stop at documenting the technical issue. The company also issued a clear warning: these vulnerabilities don’t just affect the compromised device—they could also expose data from other devices linked to the same iCloud account.
“These risks are amplified by the possibility of remote access to data tied to iCloud accounts,” the researchers explained. “An attacker could obtain partial information from all devices connected to the same Apple ID".
In other words, compromising a single Mac could become the entry point to your entire Apple device network.
Read more: Microsoft Will End Support for Windows 11 22H2 in October 2025
Apple quietly addressed the issue in March 2025 with the release of macOS Sequoia 15.4. The patch included improvements to the system’s data redaction mechanisms and imposed new restrictions on the behavior of Spotlight plugins.
Although Apple didn’t make much noise about the update, the recommendation for users and organizations is clear:
Update immediately to macOS Sequoia 15.4 or later
Audit third-party software that integrates with Spotlight
Monitor unusual plugin behavior, especially those running in the background
Use System Integrity Logs to detect suspicious or abnormal access
These measures are especially critical in enterprise environments, where a single point of entry can expose entire networks.
The SPloitLight case shows that even the most closed and secure systems, like macOS, are not immune to serious architectural flaws. What’s most concerning is that these attacks can go completely unnoticed by users and traditional security solutions.
Updating the operating system and adopting a proactive security posture is no longer optional—it’s a necessity. Organizations must stay up to date with patches, scrutinize the software they rely on, and make full use of Apple’s logging and monitoring tools.