CVE-2026-2637 identifies a local privilege escalation vulnerability in iBoysoft NTFS for Mac, specifically version 8.0.0. The root cause is an incorrect permission assignment (CWE-732) in the privileged helper daemon named ntfshelperd. This daemon exposes an NSConnection service that runs with root privileges but does not implement any authentication or authorization mechanisms. NSConnection is an interprocess communication mechanism in macOS, and by exposing this service without controls, any local user with access to the system can communicate with the daemon and execute privileged operations. Because the daemon runs as root, this allows an attacker to escalate their privileges from a limited user to root, effectively gaining full control over the system. The vulnerability requires local access and no user interaction, making it easier to exploit in environments where untrusted users have shell or local access. The CVSS 4.0 score is 8.5 (high), reflecting the significant impact on confidentiality, integrity, and availability, combined with low attack complexity and no need for user interaction. No patches or mitigations have been officially released as of the publication date, and no known exploits have been observed in the wild. The vulnerability is specific to version 8.0.0 of iBoysoft NTFS for Mac, a third-party software that enables NTFS read/write support on macOS systems.

The impact of CVE-2026-2637 is substantial for organizations using iBoysoft NTFS for Mac version 8.0.0. Exploitation allows a local attacker to gain root privileges, which can lead to full system compromise, including unauthorized access to sensitive data, installation of persistent malware, disabling security controls, and lateral movement within networks. This is particularly critical in environments where multiple users share macOS systems or where endpoint security relies on user privilege separation. The vulnerability undermines the integrity and confidentiality of affected systems and can disrupt availability if exploited to disable or manipulate system components. Organizations with macOS endpoints running this software, especially in enterprise or development environments, face elevated risks of insider threats or post-compromise escalation by attackers who have gained initial footholds. Since no patches are currently available, the window of exposure remains open, increasing the urgency for mitigation.

Until an official patch is released by iBoysoft, organizations should implement strict local access controls to limit who can log in or execute code on macOS systems running iBoysoft NTFS 8.0.0. This includes enforcing strong user account policies, disabling unnecessary local accounts, and restricting physical and remote access to trusted personnel only. Monitoring for unusual local activity or privilege escalation attempts can help detect exploitation attempts. Consider uninstalling or disabling iBoysoft NTFS temporarily if feasible, especially on high-risk systems. Employ endpoint detection and response (EDR) solutions capable of detecting anomalous privilege escalation behavior. Once a patch is available, prioritize immediate deployment. Additionally, vendors and administrators should audit other privileged helper daemons for similar insecure IPC exposures to prevent analogous vulnerabilities.