CVE-2025-65842 identifies multiple security flaws in the Aquarius HelperTool version 1.0.003, a privileged XPC service running on macOS. The service is designed to handle interprocess communication (IPC) requests locally but fails to validate the identity of connecting clients, allowing any local process to establish a connection. The core issue lies in the authorization logic: the service calls AuthorizationCopyRights with a NULL reference, which bypasses proper authorization checks and causes all requests to be approved regardless of the client's privileges. The vulnerable method executeCommand:authorization:withReply: takes attacker-controlled input and interpolates it directly into an NSTask execution context, which runs with root privileges. This combination of unchecked client connections, flawed authorization, and command injection enables a local attacker to escalate privileges from a non-privileged user to root. The attacker can execute arbitrary commands as root, potentially creating persistent backdoors or obtaining a fully interactive root shell. The vulnerability requires local access to the macOS system but does not require user interaction or prior authentication. The CVSS 3.1 score of 5.1 reflects the local attack vector and medium impact on confidentiality and integrity, with no impact on availability. No patches or mitigations are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment).

For European organizations, this vulnerability poses a significant risk to macOS endpoints that have the Aquarius HelperTool installed. Successful exploitation allows attackers with local access—such as employees, contractors, or malware that has gained initial foothold—to escalate privileges to root, bypassing standard security controls. This can lead to unauthorized access to sensitive data, modification or deletion of critical files, installation of persistent malware, and full system compromise. The confidentiality and integrity of organizational data on affected macOS devices are at risk. Although the attack requires local access, it could be leveraged in targeted attacks or combined with other exploits to gain initial access. Organizations with macOS-based infrastructure, especially those in sectors with high-value intellectual property or sensitive personal data (e.g., finance, healthcare, government), face elevated risks. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future exploitation. The vulnerability does not affect availability directly but could be used to disrupt operations through malicious root-level actions.

European organizations should first identify macOS systems running the Aquarius HelperTool version 1.0.003 or similar vulnerable versions. Since no official patches are currently available, organizations should apply the following mitigations: (1) Restrict local access to macOS systems by enforcing strict physical and logical access controls, including limiting administrative privileges and using endpoint protection solutions. (2) Monitor and audit local IPC connections and system logs for unusual activity related to the Aquarius HelperTool or NSTask executions. (3) Employ application whitelisting and runtime protection to detect and block unauthorized command executions at the root level. (4) Use macOS security features such as System Integrity Protection (SIP) and Endpoint Security Framework to limit the impact of privilege escalation attempts. (5) Educate users about the risks of running untrusted local software and enforce least privilege principles. (6) Stay updated with vendor advisories for patches or updates addressing this vulnerability and apply them promptly once available. (7) Consider isolating critical macOS systems or using virtualization to reduce exposure. These targeted mitigations go beyond generic advice by focusing on controlling local access, monitoring IPC usage, and leveraging macOS-specific security controls.