The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-23746

CVE-2024-23746: Miro Desktop RCE Vulnerability

CVE-2024-23746 is a remote code execution flaw in Miro Desktop for macOS that enables local Electron code injection through bundle manipulation. This article covers technical details, affected versions, and mitigations.

Published: April 15, 2026

CVE-2024-23746 Overview

CVE-2024-23746 is a critical Code Injection vulnerability affecting Miro Desktop version 0.8.18 on macOS. The vulnerability allows local attackers to inject malicious Electron code through a complex multi-step exploitation process that bypasses macOS security controls. Specifically, the attack circumvents the kTCCServiceSystemPolicyAppBundles requirement through a series of file system manipulations involving file copying, directory renaming, ASAR archive modification, and subsequent restoration of the original directory structure.

This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the application fails to properly validate or sanitize code that is dynamically generated or executed within the Electron framework.

Critical Impact

Successful exploitation enables attackers to execute arbitrary code within the context of the Miro Desktop application, potentially leading to complete compromise of user data, credential theft, and persistent access to the affected macOS system.

Affected Products

  • Miro Desktop version 0.8.18 on macOS
  • Apple macOS (as the underlying platform)

Discovery Timeline

  • 2024-02-02 - CVE-2024-23746 published to NVD
  • 2025-06-04 - Last updated in NVD database

Technical Details for CVE-2024-23746

Vulnerability Analysis

The vulnerability exploits weaknesses in how Miro Desktop handles its Electron application bundle on macOS. Electron applications package their source code in ASAR (Atom Shell Archive) archives, which can be extracted, modified, and repackaged if proper protections are not in place.

The attack leverages the Transparency, Consent, and Control (TCC) framework bypass on macOS. The kTCCServiceSystemPolicyAppBundles protection normally prevents unauthorized modifications to application bundles. However, by performing a specific sequence of file system operations—copying the application, renaming the app.app/Contents directory, modifying the ASAR archive to inject malicious code, and renaming the directory back—an attacker can circumvent these protections.

This exploitation technique is documented in the HackTricks MacOS Process Abuse resource as a known method for injecting code into Electron applications on macOS.

Root Cause

The root cause stems from insufficient validation of the application bundle integrity at runtime and the Electron framework's susceptibility to ASAR archive tampering. When the modified Miro Desktop application is launched, it executes the injected malicious code with the same privileges as the legitimate application, including any TCC permissions previously granted by the user.

Additionally, the lack of code signing validation during the ASAR loading process allows tampered archives to be processed without triggering security alerts.

Attack Vector

The attack requires local access to the target macOS system and follows a multi-step process:

  1. File Copy: The attacker creates a copy of the Miro Desktop application bundle to a location where they have write permissions
  2. Directory Rename: The app.app/Contents directory is renamed to bypass TCC bundle protection monitoring
  3. ASAR Modification: The application's ASAR archive is extracted, malicious JavaScript code is injected, and the archive is repackaged
  4. Restore Structure: The directory is renamed back to app.app/Contents
  5. Execution: When the modified application launches, the injected code executes with full application privileges

The attacker can inject code that accesses sensitive data, captures user credentials, or establishes persistence on the compromised system. Technical details and proof-of-concept code are available in the GitHub Repository CVE-2024-23746.

Detection Methods for CVE-2024-23746

Indicators of Compromise

  • Unexpected modifications to Miro Desktop application bundle files or ASAR archives
  • Changes to the app.app/Contents directory structure or unusual renaming patterns
  • Presence of unauthorized JavaScript files within the Electron application resources
  • Modified file hashes for ASAR archives compared to legitimate Miro releases

Detection Strategies

  • Monitor file system events for operations targeting /Applications/Miro.app/ and related Electron bundle directories
  • Implement integrity monitoring to detect changes to application ASAR archives using hash comparisons
  • Watch for suspicious process activity involving asar extraction or packing utilities
  • Alert on applications running from non-standard locations with names similar to legitimate applications

Monitoring Recommendations

  • Enable macOS Unified Logging and monitor for TCC-related events involving bundle modifications
  • Deploy endpoint detection and response (EDR) solutions with behavioral analysis for Electron application tampering
  • Configure SentinelOne to detect anomalous file operations within macOS application bundles
  • Monitor for JavaScript execution within Electron applications that deviates from baseline behavior

How to Mitigate CVE-2024-23746

Immediate Actions Required

  • Update Miro Desktop to the latest available version beyond 0.8.18
  • Review application bundle integrity using code signing verification tools
  • Audit systems for signs of compromise using the indicators listed above
  • Restrict user permissions to modify application directories where feasible

Patch Information

Users should upgrade Miro Desktop to the latest version available. Verify the application signature after installation using macOS code signing utilities. Consult the Miro Company Overview page for official update channels and security guidance.

The Electron Blog CVE Statement provides additional context on Electron application security and recommended mitigations for this class of vulnerabilities.

Workarounds

  • Enable macOS System Integrity Protection (SIP) to prevent unauthorized modifications to system applications
  • Configure file system permissions to restrict write access to application bundle directories
  • Use application whitelisting solutions to prevent execution of tampered Electron applications
  • Consider deploying applications to protected system directories rather than user-writable locations
bash
# Verify application code signing integrity
codesign --verify --deep --strict /Applications/Miro.app

# Check for recent modifications to application bundle
find /Applications/Miro.app -type f -mtime -7 -ls

# Enable macOS firewall and restrict network access for untrusted applications
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechMiro
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability0.82%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-94
  • Technical References
  • HackTricks MacOS Process Abuse
  • GitHub Repository CVE-2024-23746
  • Miro Company Overview
  • Electron Blog CVE Statement
  • Latest CVEs
  • CVE-2026-8468: Elixir Plug Library DoS Vulnerability
  • CVE-2026-8295: simdjson Information Disclosure Vulnerability
  • CVE-2025-68421: Comarch ERP Optima Auth Bypass Vulnerability
  • CVE-2025-68420: Comarch ERP Optima Privilege Escalation
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English