SEC Consult has disclosed two high-impact privilege escalation vulnerabilities in the Arturia Software Center for MacOS (version 2.12.0.3157). The flaws, identified as CVE-2026-24062 and CVE-2026-24063, allow local attackers to execute code with root privileges. Since the vendor has remained unresponsive to multiple communication attempts, no official patch is currently available.
The first vulnerability involves insufficient XPC client validation in the "Privileged Helper" component, enabling unauthorized processes to trigger privileged tasks. The second vulnerability stems from a world-writable uninstall.sh script created with 777 permissions in a root-owned directory. By manipulating this script, an attacker can achieve code execution when the uninstallation process is triggered via the software UI or command line.
Top comments (0)