CVE-2025-61229 Overview
CVE-2025-61229 is a local privilege escalation vulnerability affecting Shirt Pocket's SuperDuper! backup application for macOS, versions 3.10 and earlier. This vulnerability allows a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, effectively bypassing macOS privacy controls and Transparency, Consent, and Control (TCC) protections.
The flaw stems from improper access control (CWE-284) and incorrect default permissions (CWE-276) on task template files, enabling unprivileged users to inject malicious scripts that execute with elevated privileges during backup operations.
Critical Impact
Local attackers can achieve root-level code execution with Full Disk Access, completely bypassing macOS security controls and gaining unrestricted access to protected system resources and user data.
Affected Products
- Shirt Pocket SuperDuper! version 3.10 and earlier
- All macOS installations running vulnerable SuperDuper! versions
Discovery Timeline
- 2025-12-01 - CVE-2025-61229 published to NVD
- 2025-12-08 - Last updated in NVD database
Technical Details for CVE-2025-61229
Vulnerability Analysis
This vulnerability carries a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The scoring reflects:
- Attack Vector (AV:L): Local access required - attacker must have local system access
- Attack Complexity (AC:L): Low complexity - exploitation is straightforward
- Privileges Required (PR:L): Low privileges - standard user account is sufficient
- User Interaction (UI:N): None required - exploitation is autonomous
- Impact: High confidentiality, integrity, and availability impact
The vulnerability is classified under CWE-276 (Incorrect Default Permissions) and CWE-284 (Improper Access Control), indicating fundamental security design flaws in how SuperDuper! manages task template files and script execution permissions.
According to EPSS (Exploit Prediction Scoring System), this vulnerability has a probability score of 0.012%, placing it in the 1.253 percentile, suggesting relatively low predicted exploitation activity at this time.
Root Cause
The root cause lies in SuperDuper!'s handling of task templates and preflight script configurations. The application stores task templates with insufficient access controls, allowing local users with standard privileges to modify these template files. When SuperDuper! executes backup operations, it processes these templates and runs associated preflight scripts with elevated privileges (root) and Full Disk Access entitlements.
The combination of weak file permissions on template storage locations and the privileged execution context of preflight scripts creates a classic privilege escalation vector. macOS grants SuperDuper! Full Disk Access to perform backup operations, and this access is inherited by any scripts executed within its operational context.
Attack Vector
The attack scenario proceeds as follows:
- A local attacker identifies the location of SuperDuper!'s default task template files
- The attacker modifies the template to include a malicious preflight script or alters an existing preflight script path to point to an attacker-controlled script
- When the legitimate user or scheduled task initiates a backup operation, SuperDuper! loads the modified template
- The malicious preflight script executes with root privileges and Full Disk Access, bypassing TCC protections
- The attacker gains persistent elevated access to the system, including access to protected directories like ~/Library/Application Support, Safari data, and other TCC-protected resources
The vulnerability mechanism involves modifying task template files stored in user-accessible locations. For detailed technical analysis, refer to the vendor's security update documentation at the release notes reference.
Detection Methods for CVE-2025-61229
Indicators of Compromise
- Unexpected modifications to SuperDuper! task template files
- Unusual preflight scripts referenced in backup configurations
- Processes spawning from SuperDuper! with unexpected command-line arguments
- Access to TCC-protected directories from unexpected parent processes
- New or modified shell scripts in SuperDuper! configuration directories
Detection Strategies
File Integrity Monitoring:
Monitor SuperDuper! configuration and template directories for unauthorized modifications. Establish baselines for legitimate template files and alert on any changes.
Process Monitoring:
Track child processes spawned by SuperDuper! during backup operations. Legitimate preflight scripts should be well-documented and consistent. Unknown scripts or unexpected command execution warrants investigation.
TCC Access Auditing:
Review macOS Unified Logs for TCC access requests originating from SuperDuper! processes. Anomalous access patterns to protected resources may indicate exploitation.
SentinelOne Singularity Platform provides automated detection of privilege escalation attempts and unauthorized script execution through behavioral AI analysis. The platform monitors process trees and identifies suspicious parent-child relationships indicative of this attack pattern.
Monitoring Recommendations
Organizations should implement the following monitoring measures:
- Enable detailed logging for backup application activities
- Configure alerts for modifications to SuperDuper! configuration files
- Monitor for scripts executing with Full Disk Access entitlements
- Review backup schedules and associated preflight/postflight scripts regularly
- Implement endpoint detection and response (EDR) solutions to identify privilege escalation attempts
How to Mitigate CVE-2025-61229
Immediate Actions Required
- Update SuperDuper! to version 3.11 or later immediately
- Audit existing task templates and preflight scripts for unauthorized modifications
- Review and restrict file permissions on SuperDuper! configuration directories
- Temporarily disable preflight scripts until the patch is applied if upgrade is not immediately possible
- Monitor systems for signs of exploitation using the detection methods outlined above
Patch Information
Shirt Pocket has released SuperDuper! version 3.11 which addresses this security vulnerability. The update is available through the vendor's official website and should be applied immediately to all affected systems.
Vendor Resources:
- Product Page: https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html
- Security Update Release Notes: https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/
Organizations should prioritize this update for all macOS systems running SuperDuper! for backup operations, particularly in environments where multiple users have local access.
Workarounds
If immediate patching is not feasible, the following temporary mitigations can reduce risk:
Restrict Template File Permissions: Manually set restrictive permissions on SuperDuper! task template directories to prevent modification by non-administrative users
Disable Preflight Scripts: Review backup configurations and disable preflight script execution until the patch can be applied
Limit Local User Access: Restrict local user accounts on systems running SuperDuper! to reduce the attack surface
Implement Application Whitelisting: Use macOS application controls to restrict which scripts can execute in the context of backup operations
# Verify SuperDuper! version and check for updates
# Navigate to SuperDuper! > About SuperDuper! to verify version 3.11+
# Or check via command line:
mdls -name kMDItemVersion /Applications/SuperDuper\!.app
# Review and restrict permissions on configuration directories
# Consult vendor documentation for specific paths
Note: These workarounds are temporary measures. Applying the official security patch (version 3.11) is the recommended permanent solution to fully remediate CVE-2025-61229.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
