Apple has patched a critical macOS vulnerability that allowed attackers to bypass Transparency, Consent, and Control (TCC) protections and access highly sensitive user data, including information cached by Apple Intelligence.
The flaw, tracked as CVE-2025-31199 and dubbed “Sploitlight” by Microsoft researchers, exploited Spotlight plugin behavior to evade privacy controls and harvest detailed user information. It was addressed in March 2025 with macOS Sequoia 15.4 through “improved data redaction.”
Exploiting Spotlight for Privileged Access
TCC is a macOS security framework that restricts how apps access sensitive user data such as location, photos, calendar, and contacts. It requires explicit user consent before apps can access protected resources.
Microsoft’s researchers — Jonathan Bar Or, Alexia Wilson, and Christine Fossaceca — discovered that Spotlight plugins could be leveraged to execute code with elevated privileges, bypassing TCC’s protections and accessing files normally restricted to apps with Full Disk Access.
“While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of Sploitlight are more severe,” Microsoft stated. “It enables exfiltration of Apple Intelligence cache and remote information from iCloud-linked devices.”
What Attackers Could Steal
The potential impact of the vulnerability is extensive. Attackers could steal:
- Precise geolocation data
- Photo and video metadata
- Face and person recognition data
- Photo albums and shared libraries
- Search history and user preferences
- Deleted photos and videos
- Remote data from iCloud-linked devices
The vulnerability exploited a “logging issue,” as described by Apple, but Microsoft showed that the underlying mechanism allowed the unauthorized execution of code that interacted directly with sensitive system components.
Spoitlight exploit (Microsoft)