Researchers at XM Cyber discovered a macOS vulnerability that allows standard users to disable security tools like CrowdStrike Falcon EDR and Kandji MDM by exploiting flaws in how the OS caches and trusts application cryptographic hashes (CDHash). This issue enables attackers to impersonate trusted app components and invoke privileged Cross-Process Communication (XPC) services without administrator privileges, impacting numerous macOS applications relying on XPC. While some vendors have patched the flaw, Apple reportedly does not plan to fix the underlying OS issue, leaving developers to implement their own mitigations.
Apple’s MacOS Security Gap Lets Users Disable Security Tools

