CVE-2025-10906 Overview
CVE-2025-10906 is a missing authentication vulnerability [CWE-287] in Magnetism Studios Endurance up to version 3.3.0 on macOS. The flaw resides in the loadModuleNamed:WithReply function exposed by the privileged helper at /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper. The component uses an NSXPC interface that does not validate the identity of connecting clients. A local attacker can connect to the helper and invoke its exported methods to load arbitrary modules. A proof-of-concept exploit has been published publicly.
Critical Impact
Local attackers can abuse the unauthenticated NSXPC interface to load attacker-controlled modules through a privileged helper, leading to high impact on confidentiality, integrity, and availability of the host.
Affected Products
- Magnetism Studios Endurance versions up to and including 3.3.0
- Component: com.MagnetismStudios.endurance.helper privileged helper
- Platform: macOS
Discovery Timeline
- 2025-09-24 - CVE-2025-10906 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-10906
Vulnerability Analysis
Endurance ships a privileged helper tool installed under /Applications/Endurance.app/Contents/Library/LaunchServices/. The helper exposes functionality over an NSXPC interface, Apple's object-oriented inter-process communication framework. One exported selector, loadModuleNamed:WithReply:, loads a module by name on behalf of the calling process. The helper does not verify the identity, signature, or entitlements of the connecting client before honoring the request. Any local process can therefore reach the helper and invoke this routine. The result is an authentication failure that enables module loading from an untrusted caller.
Root Cause
The underlying defect is the absence of client validation on the NSXPC listener. Hardened NSXPC services should set a shouldAcceptNewConnection: handler that audits the peer using auditToken, code signing requirements, or team identifier checks. Endurance's helper accepts connections without performing these checks, satisfying [CWE-287] Missing Authentication for Critical Function.
Attack Vector
Exploitation requires local access to the macOS host but no prior privileges or user interaction. An attacker with code execution as a standard user connects to the helper's Mach service name, retrieves the remote object proxy for the exposed protocol, and calls loadModuleNamed:WithReply: with a chosen module identifier. Because the helper runs with elevated privileges via SMJobBless or a similar launch mechanism, the loaded module executes in that privileged context. Public proof-of-concept material is referenced in the GitHub PoC Documentation.
Detection Methods for CVE-2025-10906
Indicators of Compromise
- Unexpected child processes spawned by com.MagnetismStudios.endurance.helper outside normal application workflows.
- Module or bundle loads originating from user-writable directories under /Users/ or /tmp/ referenced by the helper.
- New or modified files in the Endurance application support directory not initiated by the signed Endurance UI process.
Detection Strategies
- Monitor XPC connection events to the com.MagnetismStudios.endurance.helper Mach service from processes other than Endurance.app.
- Inspect Endpoint Security framework events for ES_EVENT_TYPE_NOTIFY_OPEN and ES_EVENT_TYPE_NOTIFY_EXEC involving the helper binary path.
- Alert when the helper process loads dynamic libraries or bundles from paths outside its own application bundle.
Monitoring Recommendations
- Audit installed versions of Endurance across the macOS fleet and flag any instance at 3.3.0 or earlier.
- Forward unified log entries filtered on subsystem com.MagnetismStudios.endurance to a central log platform for review.
- Track privileged helper installations enumerated under /Library/PrivilegedHelperTools/ and /Applications/*/Contents/Library/LaunchServices/ for unexpected use.
How to Mitigate CVE-2025-10906
Immediate Actions Required
- Inventory macOS endpoints for Magnetism Studios Endurance and identify all installations at version 3.3.0 or below.
- Uninstall Endurance from systems where it is not actively required until a fixed release is available.
- Restrict local user privileges and enforce application allowlisting to limit which processes can connect to privileged XPC services.
Patch Information
No vendor-supplied patch has been referenced in the published advisory at the time of writing. Consult the vendor and the VulDB entry #325691 for updates on a fixed version.
Workarounds
- Remove the helper binary at /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper and unload its launchd job to disable the vulnerable NSXPC interface.
- Block execution of the Endurance application and its helper through macOS configuration profiles or endpoint protection policies until a patched build is released.
- Limit physical and remote interactive access to affected workstations to reduce exposure to local exploitation.
# Configuration example: unload and remove the vulnerable helper
sudo launchctl unload /Library/LaunchDaemons/com.MagnetismStudios.endurance.helper.plist
sudo rm -f /Library/LaunchDaemons/com.MagnetismStudios.endurance.helper.plist
sudo rm -f "/Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper"
sudo rm -rf "/Applications/Endurance.app"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
