macOS XPC Flaw Allows Standard Users to Disable CrowdStrike and Kandji Security Tools
What Happened — A vulnerability in macOS’s XPC services permitted a non‑privileged (standard) user to stop the CrowdStrike Falcon and Kandji MDM agents, effectively disabling endpoint detection and response on the host. The flaw was disclosed by XM Cyber, confirmed by Apple, CrowdStrike, and Kandji, and patched in subsequent macOS updates. No public evidence of active exploitation has been reported.
Why It Matters for Compliance & Audit Readiness
- The ability for a regular user to disable security tooling violates SOC 2 CC6.1 (System Operations) and CC6.2 (Change Management) controls that require continuous protection of system components.
- Continuous monitoring of endpoint‑agent status and tamper‑evidence logs are essential to prove that security controls remain in place during an audit.
- Verisq’s SOC 2 Access Controls capability can automatically collect and retain immutable evidence of agent health, helping you demonstrate that endpoint protection cannot be arbitrarily turned off.
Who Is Affected — Enterprises that deploy macOS endpoints and rely on third‑party EDR/MDM solutions (e.g., finance, healthcare, technology SaaS, and professional services firms).
Recommended Actions
- Review and tighten macOS user privilege assignments; enforce least‑privilege policies that prevent standard users from managing system services.
- Deploy tamper‑resistant configurations for EDR/MDM agents (e.g., kernel‑level protection, launch‑daemon restrictions).
- Integrate continuous agent‑status monitoring into your SOC 2 evidence collection pipeline; retain logs that show agents remain active and unaltered.
- Apply the latest macOS security updates and verify that the vendor‑released patches are installed across all devices.
Technical Notes — The flaw leveraged an XPC (Cross‑Process Communication) service mis‑use, allowing a standard user to issue a stop command to security agents. No CVE number was disclosed at the time of reporting. The vulnerability does not directly expose data, but it creates a window for attackers to operate undetected. Source: HackRead