CVE-2021-30972 Overview
CVE-2021-30972 is an authorization flaw [CWE-863] in Apple macOS that allows a malicious application to bypass certain Privacy preferences. Apple addressed the issue with improved checks in Security Update 2022-001 Catalina and macOS Big Sur 11.6.3. The vulnerability requires local access and low privileges, and it can result in unauthorized modification of integrity-protected resources managed by the Transparency, Consent, and Control (TCC) framework.
Critical Impact
A locally executing malicious application can bypass Privacy preference enforcement on affected macOS systems, gaining access to resources that should require explicit user consent.
Affected Products
- Apple macOS Catalina 10.15.7 (prior to Security Update 2022-001)
- Apple macOS Big Sur (prior to 11.6.3)
- Apple macOS Monterey 12.0.0 and 12.0.1
Discovery Timeline
- 2021-08-24 - CVE-2021-30972 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-30972
Vulnerability Analysis
The vulnerability resides in the Privacy enforcement layer of macOS, commonly associated with the Transparency, Consent, and Control (TCC) subsystem. TCC mediates application access to protected resources such as the camera, microphone, contacts, calendar, photos, and Full Disk Access scopes. A malicious application running locally can circumvent these mediation checks and access resources without the consent flow that TCC normally enforces.
Apple's published advisory states only that the issue was addressed with improved checks, indicating the root cause was insufficient validation rather than a memory safety defect. The flaw is classified under [CWE-863] Incorrect Authorization, meaning the system performed an authorization check but reached an incorrect decision under specific conditions.
Root Cause
The root cause is improper authorization logic in the Privacy preferences enforcement path. The affected component did not adequately validate that a calling application held the required entitlements or consent record before granting access to a protected resource. Apple resolved the issue by tightening these checks in the patched releases.
Attack Vector
Exploitation requires local code execution with low privileges and no user interaction. An attacker must first achieve execution on the target macOS host, typically via a trojanized application, supply-chain compromise, or post-exploitation foothold. Once running, the malicious process invokes the affected Privacy preferences pathway to access resources without triggering the normal consent prompt.
No public proof-of-concept code is available for this issue, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Apple's advisories (HT213055, HT213056, HT212978) do not disclose technical exploitation details.
Detection Methods for CVE-2021-30972
Indicators of Compromise
- Unexpected modifications to TCC databases at /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db.
- Applications accessing protected resources (camera, microphone, Full Disk Access scopes) without a corresponding consent prompt in user-visible history.
- Unsigned or ad-hoc signed binaries spawning child processes that read sensitive directories such as ~/Library/Messages or ~/Library/Mail.
Detection Strategies
- Monitor process executions that touch tccd, the TCC daemon, or directly query TCC.db outside expected system workflows.
- Hunt for binaries lacking valid notarization or signed by unexpected Team IDs that subsequently access privacy-protected resources.
- Correlate kTCCService* log entries from the unified logging system against the population of installed applications to surface anomalies.
Monitoring Recommendations
- Enable endpoint telemetry that captures macOS Endpoint Security framework events for file access, process creation, and entitlement use.
- Forward unified logs filtered on subsystem com.apple.TCC to a centralized logging platform for retrospective analysis.
- Baseline normal TCC consent activity per host and alert on deviations such as new applications gaining access without a recent prompt.
How to Mitigate CVE-2021-30972
Immediate Actions Required
- Apply Security Update 2022-001 Catalina on macOS 10.15.7 endpoints.
- Upgrade macOS Big Sur hosts to version 11.6.3 or later.
- Upgrade macOS Monterey 12.0.0 and 12.0.1 hosts to the current supported release.
- Inventory macOS endpoints in your fleet and confirm patch state through mobile device management (MDM) reporting.
Patch Information
Apple released fixes in Security Update 2022-001 Catalina and macOS Big Sur 11.6.3. Refer to the Apple Security Update HT213055, Apple Security Update HT213056, and Apple KB Article HT212978 for full version details and installation guidance.
Workarounds
- Restrict installation of untrusted applications by enforcing Gatekeeper policies and requiring notarized binaries.
- Deploy application allowlisting through MDM to prevent execution of unsigned local binaries.
- Limit local user privileges and avoid daily use of administrator accounts on macOS endpoints.
- Review and tighten Privacy & Security settings in System Preferences, removing access grants that are not required.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

