HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Arbitrary‑Command Execution in ExifTool (CVE‑2026‑3102) Threatens macOS Image Workflows

A flaw in ExifTool ≤ v13.49 allows attackers to embed malicious commands in image metadata. When processed with the `-n` flag on macOS, the vulnerability can lead to full system compromise, exposing any organization that uses ExifTool directly or via third‑party services.

LiveThreat™ Intelligence · 📅 May 20, 2026· 📰 securelist.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securelist.com

Critical Arbitrary‑Command Execution in ExifTool (CVE‑2026‑3102) Threatens macOS Image Workflows

What It Is – A newly disclosed vulnerability (CVE‑2026‑3102) in ExifTool 13.49 and earlier permits an attacker to embed malicious shell commands in an image’s metadata. When the victim runs ExifTool with the -n/-printConv flag, the unsanitized value reaches a system() call, enabling arbitrary command execution with the invoking user’s privileges.

Exploitability – Proof‑of‑concept code was released by Kaspersky’s GReAT team. No public ransomware or APT campaign has been observed yet, but the exploit works on unpatched macOS installations out‑of‑the‑box. CVSS v3.1 base score 9.8 (Critical).

Affected Products – ExifTool (stand‑alone CLI and library) ≤ v13.49 on macOS. Any third‑party product that bundles ExifTool (digital asset management platforms, media‑processing SaaS, CI pipelines that auto‑tag images, etc.) inherits the flaw.

TPRM Impact – Organizations that rely on external vendors for image ingestion, metadata extraction, or automated publishing may inherit a supply‑chain attack surface. A compromised vendor could silently execute commands on a client’s macOS workstation, exfiltrate data, or install persistence mechanisms.

Recommended Actions

  • Verify ExifTool version on all macOS assets; upgrade immediately to v13.50 or later.
  • Review vendor contracts for software that embeds ExifTool; request version attestations and patch timelines.
  • Disable the -n/-printConv flag in automated pipelines unless absolutely required.
  • Implement runtime monitoring for unexpected system() calls originating from ExifTool processes.
  • Add metadata‑sanitization steps (e.g., strip EXIF data) before accepting files from untrusted sources.

Source: SecureList – Kaspersky

📰 Original Source
https://securelist.com/exiftool-compromise-mac/119866/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →