Management summary
The Vienna Symphonic Library - Vienna Assistant software for MacOS utilizes a privileged helper to perform privileged actions. The NSXPC listener of the privileged helper, does not perform client validation at all leading to privilege escalation.
Vendor description
"We make products, tools and services that enable all creators and musicians to express their deepest emotions through technology, designed to augment their passion for music and musicality. Since all of us here at Vienna Symphonic Library are educated musicians, simply passionate about music, or both, we know that every piece of work – a song for a birthday party, a commercial jingle or a new film score – requires your full attention and energy. That’s why we design our products and services to alleviate the burden of unwanted tasks so that you can concentrate on what you enjoy most and get the job done."
Source: https://www.vsl.co.at/company/vision
Business recommendation
The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.
Vulnerability overview/description
1) Missing XPC Client & NSXPC endpoint validation leads to privilege escalation (CVE-2026-24068)
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all.
1000060b0 bool -[HelperTool listener:shouldAcceptNewConnection:](struct HelperTool* self, SEL sel, id listener, id shouldAcceptNewConnection)
1000060b0 {
1000060b0 _NSLog(@"New Listener");
1000060fc [shouldAcceptNewConnection setExportedInterface:[clsRef_NSXPCInterface
1000060fc interfaceWithProtocol:protoRef_HelperToolProtocol]];
100006110 [shouldAcceptNewConnection setExportedObject:self];
100006120 [shouldAcceptNewConnection resume];
100006130 return 1;
1000060b0 }
This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol.
No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.
Proof of concept
1) Missing XPC Client & NSXPC endpoint validation leads to privilege escalation (CVE-2026-24068)
To exploit the missing XPC client validation an attacker only has to define the same Objective C protocol and start a connection to the privileged helper XPC service. The attacker can then use any function available in the defined protocol. The HelperToolProtocol has the functions writeReceiptFile and runUninstaller defined, which both do not perform validation of their arguments. The function runUninstaller can be exploited to execute bash commands as root. The following Objective C code implements the exploit:
[ PoC exploit code removed ]The proof of concept code can be compiled using the following command:
clang -o exploit -framework Foundation ./exploit.mmVulnerable / tested versions
The following version has been tested which was the latest version available at the time of the test:
- 1.2.542