CVE-2025-69604 is a vulnerability identified in Shirt Pocket's SuperDuper! backup software, versions 3.11 and earlier, which runs on macOS. The issue arises because a local attacker can manipulate the default task template used by the software to install an arbitrary package. This package can execute shell scripts with root privileges and Full Disk Access, effectively bypassing macOS's privacy and security controls designed to protect sensitive user data and system integrity. The vulnerability requires local access, meaning the attacker must have some level of access to the affected machine. By exploiting this flaw, an attacker can escalate privileges from a standard user to root, gaining full control over the system and access to all files, including those protected by macOS privacy features. This could lead to unauthorized data access, system compromise, and persistence on the device. No public exploits have been reported yet, and no CVSS score has been assigned. The vulnerability is significant because it undermines macOS's layered security model, particularly the Full Disk Access protection, which is critical for safeguarding user data. SuperDuper! is a popular backup and disk cloning tool, especially among macOS users who require reliable backup solutions. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for interim mitigations. Organizations relying on SuperDuper! should be aware of this risk and prepare to update once a patch is released.

For European organizations, this vulnerability poses a serious risk to confidentiality, integrity, and availability of data on macOS systems using SuperDuper!. Attackers with local access could gain root privileges and bypass privacy controls, potentially accessing sensitive corporate data, intellectual property, or personal information protected under GDPR. This could lead to data breaches, regulatory penalties, and reputational damage. The ability to run arbitrary shell scripts with elevated privileges also enables attackers to install persistent malware, disrupt backup processes, or manipulate system configurations. Sectors with high macOS usage such as creative industries, software development, and certain government or research institutions are particularly vulnerable. The local access requirement limits remote exploitation but insider threats or compromised endpoints could be leveraged. The absence of known exploits reduces immediate risk but also means organizations should proactively mitigate to avoid future exploitation. The impact is heightened in environments where SuperDuper! is used for critical backup operations, as compromise could affect disaster recovery capabilities.

1. Immediately restrict local user permissions on macOS systems to minimize the number of users who can modify SuperDuper! task templates. 2. Monitor and audit changes to SuperDuper! task templates and related configuration files to detect unauthorized modifications. 3. Limit installation and execution of arbitrary packages by enforcing application whitelisting and endpoint protection controls. 4. Educate users about the risks of local privilege escalation and ensure strong endpoint security hygiene to prevent unauthorized local access. 5. Regularly back up critical data using alternative methods or software until a patch for SuperDuper! is released. 6. Follow Shirt Pocket's official channels for updates and apply patches promptly once available. 7. Consider deploying macOS security features such as System Integrity Protection (SIP) and Full Disk Encryption to add layers of defense. 8. Implement network segmentation to isolate macOS devices running SuperDuper! from sensitive network segments to limit lateral movement in case of compromise.