CVE-2025-69604 is a vulnerability identified in Shirt Pocket's SuperDuper! backup software, specifically versions 3.11 and earlier. The flaw allows a local attacker with limited privileges to manipulate the default task template used by the software. By modifying this template, the attacker can install an arbitrary package that runs shell scripts with root privileges and Full Disk Access on macOS systems. This effectively bypasses the macOS privacy protections designed to restrict access to sensitive data and system controls. The vulnerability is classified under CWE-276, indicating improper permissions or access control issues. The CVSS v3.1 base score is 7.8 (high severity), reflecting the significant impact on confidentiality, integrity, and availability. Exploitation requires local access and low privileges but does not require user interaction, making it a potent vector for privilege escalation. No patches or exploit code are currently publicly available, and no known exploits have been reported in the wild. However, the ability to gain root-level execution and full disk access poses a serious risk, especially in environments where SuperDuper! is used for backups on macOS endpoints.

For European organizations, this vulnerability poses a significant risk to endpoint security, particularly for those relying on SuperDuper! for backup operations on macOS devices. An attacker exploiting this flaw could gain root privileges and full disk access, enabling them to bypass privacy controls, access sensitive data, modify or delete backups, and potentially pivot to other parts of the network. This could lead to data breaches, loss of data integrity, and disruption of business continuity. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance violations and reputational damage if exploited. The local access requirement limits remote exploitation but insider threats or compromised user accounts could leverage this vulnerability to escalate privileges. The lack of user interaction requirement increases the risk of automated or stealthy attacks once local access is obtained.

Organizations should immediately audit their macOS endpoints to identify installations of SuperDuper! version 3.11 or earlier. Until a patch is available, restrict local user permissions to prevent unauthorized modification of SuperDuper! task templates. Implement strict endpoint security controls, including application whitelisting and monitoring for unusual modifications to backup task configurations. Employ macOS security features such as System Integrity Protection (SIP) and ensure Full Disk Access permissions are tightly controlled and monitored. Regularly review and limit administrative privileges on macOS systems to reduce the risk of privilege escalation. Consider alternative backup solutions if timely patching is not feasible. Additionally, monitor system logs for suspicious activity related to SuperDuper! and shell script executions with elevated privileges. Prepare incident response plans to quickly contain and remediate any exploitation attempts.