Critical Arbitrary‑Command Execution in ExifTool (CVE‑2026‑3102) Threatens macOS Image Workflows
What It Is – A newly disclosed vulnerability (CVE‑2026‑3102) in ExifTool 13.49 and earlier permits an attacker to embed malicious shell commands in an image’s metadata. When the victim runs ExifTool with the -n/-printConv flag, the unsanitized value reaches a system() call, enabling arbitrary command execution with the invoking user’s privileges.
Exploitability – Proof‑of‑concept code was released by Kaspersky’s GReAT team. No public ransomware or APT campaign has been observed yet, but the exploit works on unpatched macOS installations out‑of‑the‑box. CVSS v3.1 base score 9.8 (Critical).
Affected Products – ExifTool (stand‑alone CLI and library) ≤ v13.49 on macOS. Any third‑party product that bundles ExifTool (digital asset management platforms, media‑processing SaaS, CI pipelines that auto‑tag images, etc.) inherits the flaw.
TPRM Impact – Organizations that rely on external vendors for image ingestion, metadata extraction, or automated publishing may inherit a supply‑chain attack surface. A compromised vendor could silently execute commands on a client’s macOS workstation, exfiltrate data, or install persistence mechanisms.
Recommended Actions –
- Verify ExifTool version on all macOS assets; upgrade immediately to v13.50 or later.
- Review vendor contracts for software that embeds ExifTool; request version attestations and patch timelines.
- Disable the
-n/-printConvflag in automated pipelines unless absolutely required. - Implement runtime monitoring for unexpected
system()calls originating from ExifTool processes. - Add metadata‑sanitization steps (e.g., strip EXIF data) before accepting files from untrusted sources.
Source: SecureList – Kaspersky