Multiple Privilege Escalation Vulnerabilities in Arturia Software Center MacOS

Title

Multiple Privilege Escalation Vulnerabilities

Product

Arturia Software Center MacOS

Vulnerable Version

2.12.0.3157

Fixed Version

-

CVE Number

CVE-2026-24062, CVE-2026-24063

Impact

high

Homepage

https://www.arturia.com/technology/asc

Found

02.01.2026

By

Florian Haselsteiner (Office Vienna) | SEC Consult Vulnerability Lab

Management summary

The Arturia Software Center was found to be vulnerable to local privilege escalation via multiple vectors. The privileged helper utilized by Arturia Software Center via XPC does not perform client validation. When installing a plugin a world writeable uninstall shell script will be installed, which is executed by root when uninstalling. The vendor was unresponsive and no patch is available.

Vendor description

"We create instruments and effects that encourage musical discovery, reward curiosity, and savor the artistic process. We’re an international team of passionate people, on a mission to navigate uncharted sonic territory in the name of creative empowerment. From the raw analog power of Brute synthesizers to our faithful virtual instrument emulations of V Collection, we provide musicians with an inspiring sonic experience that's instantly accessible, exploratory, and thrilling."

Source: https://www.arturia.com/company

Business recommendation

The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Insufficient XPC Client validation (CVE-2026-24062)

It was found that the "Privileged Helper" component of the Arturia Software Center does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.

2) World writable uninstall.sh script executed by root (CVE-2026-24063)

It was found that when a plugin is installed using the Arturia Software Center, that this plugin also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the Privileged Helper gets instructed to execute this script. When the bash script is manipulated by an attacker this scenario will lead 
to privilege escalation.

Proof of concept

1) Insufficient XPC Client validation (CVE-2026-24062)

The Privileged Helper service does not check if the connecting client is signed with a valid code signature. Any process can connect to the privileged helper and trigger privileged actions.

The following C code can be used to connect to the privileged helper and trigger code execution as root. By first using the FINISHM command to achieve /Library/Arturia being a symlink to /tmp/test and then triggering an UNINSTA of /Library/Arturia/uninstall.sh, the attacker controlled bash script in /tmp/test/uninstall.sh will get executed by root. The following example proof of concept sets up the /tmp/test directory as well as the /tmp/test/uninstall.sh script containing commands to add the user lowpriv to the sudoers file. 

[ PoC exploit code removed ]

The code can be compiled using clang:

clang -o exploit exploit.c

And then be executed like:

./exploit com.Arturia.InstallHelper

This will trigger execution of /tmp/test/uninstall.sh as root leading to privilege escalation.

2) World writable uninstall.sh script executed by root (CVE-2026-24063)

When a vst is installed via the ASC the following path will be generated:

/Library/Arturia/Acid V/Acid V.vst3/Contents/Resources

The following contents are installed:

user@usersVilMachine Resources % ls -al
total 8
drwxrwxrwx  3 root  wheel    96 Oct  9 09:27 .
drwxrwxrwx  7 root  wheel   224 Oct  9 09:27 ..
-rwxrwxrwx  1 root  wheel  3315 Oct  9 09:26 uninstall.sh
user@usersVilMachine Resources % pwd
/Library/Arturia/Acid V/Acid V.vst3/Contents/Resources

When uninstalling the same software via the ASC the following XPC message is sent to the InstallHelper:

UNINSTA /Library/Arturia/Acid V/Acid V.vst3/Contents/Resources/uninstall.sh

This will trigger execution of the uninstall.sh file as root. The uninstallation can either be triggerd by exploiting the missing XPC client authentication of the Privileged Helper or by manually triggering the uninstall via the UI.

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • 2.12.0.3157

All tests have been performed on MacOS 26.2 with SIP enabled!

Vendor contact timeline

2026-01-05 Contacting vendor through info@arturia.com; no response.
2026-01-27 Contacting vendor through contact form. Got error, "Support out of reach!"
2026-01-27 Contact via contact form again, seems to have a bug.
2026-01-27 Contact via info@arturia.com and webmaster@arturia.com; no response.
2026-02-03 Tried to contact vendor via contact form after login. Got same error.
2026-02-03 Contact via sales.support@arturia.com; no response.
2026-02-24 Tried to contact vendor via contact form, again same error.
2026-02-25 Contact via privacy-inquiries@arturia.com; no response.
2026-03-18 Public release of advisory.

Solution

The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Florian Haselsteiner / @2026

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.

Back