CVE-2025-65842 is a critical local privilege escalation vulnerability found in the Aquarius HelperTool version 1.0.003, a privileged XPC service on macOS. The vulnerability arises because the service accepts XPC connections from any local process without verifying the client's identity, effectively allowing any local user or process to communicate with it. Additionally, the authorization logic is flawed: it calls AuthorizationCopyRights with a NULL reference, which causes all authorization checks to succeed regardless of the actual permissions of the caller. The vulnerable method, executeCommand:authorization:withReply:, takes attacker-controlled input and interpolates it into an NSTask command that is executed with root privileges. This means a local attacker can run arbitrary commands as root, bypassing normal security controls. Potential exploitation scenarios include creating persistent backdoors, installing rootkits, or obtaining fully interactive root shells, which can lead to complete system compromise. Although no CVSS score has been assigned, the vulnerability is straightforward to exploit for anyone with local access and does not require user interaction beyond local presence. No patches or mitigations are currently published, and no known exploits are reported in the wild as of the publication date. However, the severity and nature of the flaw make it a significant threat to macOS environments where the Aquarius HelperTool is present.

For European organizations, this vulnerability poses a significant risk, especially those relying on macOS systems in sensitive environments such as government, finance, healthcare, and critical infrastructure. An attacker with local access—such as a malicious insider, compromised endpoint, or attacker with physical access—can escalate privileges to root, leading to full system compromise. This can result in data breaches, disruption of services, installation of persistent malware, and lateral movement within networks. The ability to create persistent backdoors or obtain root shells increases the risk of long-term undetected intrusions. Organizations with remote or hybrid workforces using macOS devices are also at risk if endpoint security is insufficient. The lack of authentication and authorization validation in the service means that even low-privileged local users or processes can exploit this flaw, increasing the attack surface. The absence of a patch at the time of disclosure means organizations must rely on compensating controls to mitigate risk temporarily.

Until an official patch is released, European organizations should implement the following specific mitigations: 1) Restrict local access to macOS systems running the Aquarius HelperTool by enforcing strict physical security and endpoint access controls. 2) Use macOS security features such as System Integrity Protection (SIP) and Endpoint Detection and Response (EDR) tools to monitor and block suspicious local process behavior, especially attempts to interact with privileged XPC services. 3) Audit and limit the use of the Aquarius HelperTool if possible, including disabling or removing it if it is not essential to operations. 4) Employ application whitelisting and restrict execution of unauthorized NSTask commands or scripts. 5) Monitor system logs and XPC service usage for anomalous activity indicative of exploitation attempts. 6) Educate users and administrators about the risks of local privilege escalation and enforce least privilege principles. 7) Prepare for rapid deployment of patches once available by maintaining an up-to-date asset inventory and patch management process focused on macOS endpoints.