CVE-2025-8533 is a medium-severity vulnerability identified in the XPC services of Flexibits' Fantastical application, specifically related to improper authorization checks. The flaw exists in the listener:shouldAcceptNewConnection method of the XPC service, which is responsible for accepting incoming connection requests from local processes. Due to the lack of proper client authorization, the service unconditionally accepts connection requests from any local, unprivileged process. This means that any process running on the same machine, without elevated privileges, can connect to the XPC service and invoke its exposed methods. The vulnerability stems from CWE-863, which concerns incorrect authorization, allowing unauthorized access to sensitive functionality. The vulnerability was addressed and resolved in Fantastical version 4.0.16. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The vector details show that the attack vector is network-based (AV:N) but limited to local network or local machine context, with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality and integrity is low, with no impact on availability. No known exploits are reported in the wild as of the publication date. This vulnerability could allow local attackers to gain unauthorized access to functionalities exposed by the XPC service, potentially leading to information disclosure or unauthorized actions within the Fantastical application context. However, exploitation requires local access to the machine running Fantastical, limiting the attack surface primarily to compromised or multi-user systems.

For European organizations, the impact of CVE-2025-8533 depends largely on the deployment of Fantastical within their environments. Fantastical is a popular calendar and scheduling application, often used on macOS and iOS devices. Organizations relying on Fantastical for critical scheduling or collaboration could face risks if local attackers gain access to user machines, especially in shared or less controlled environments such as hot-desking offices or public access terminals. The vulnerability could enable unauthorized local processes to interact with Fantastical's XPC services, potentially exposing sensitive calendar data or enabling unauthorized actions within the app. While the vulnerability does not allow remote exploitation, insider threats or malware with local execution capabilities could leverage this flaw to escalate access or exfiltrate information. This is particularly relevant for organizations with high compliance requirements around data confidentiality, such as those in finance, healthcare, or government sectors. Additionally, the lack of user interaction and privileges required for exploitation increases the risk in environments where endpoint security is weak or where users may inadvertently execute malicious code locally. The vulnerability’s resolution in version 4.0.16 means that organizations not promptly updating may remain exposed.

To mitigate CVE-2025-8533, European organizations should prioritize updating Fantastical to version 4.0.16 or later, where the authorization checks have been properly implemented. Beyond patching, organizations should enforce strict endpoint security controls to prevent unauthorized local code execution, including application whitelisting, endpoint detection and response (EDR) solutions, and least privilege policies to limit the ability of unprivileged processes to run arbitrary code. Network segmentation and access controls should be applied to reduce the risk of lateral movement that could lead to local access on devices running Fantastical. Additionally, organizations should audit and monitor local process activities on critical endpoints to detect unusual interactions with XPC services. User education on the risks of executing untrusted software locally can further reduce exploitation likelihood. For environments with shared devices, implementing session isolation and user access controls can limit exposure. Finally, organizations should review Fantastical usage policies and consider alternative calendar solutions if the risk profile is unacceptable.