Description
Improper certificate validation and a time-of-check time-of-use (TOCTOU) race condition in the PrivilegedHelperTool XPC service in Cato Client before v.5.13.1 on macOS allows a local authenticated attacker to escalate privileges to root via a self-signed certificate that bypasses the XPC caller verification and a symlink swap during package installation.
Published: 2026-07-01
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper certificate validation and a time‑of‑check time‑of‑use race condition in the PrivilegedHelperTool XPC service of the Cato Networks SDP Client allow a local authenticated user to execute actions as root. The attacker can send requests that the service accepts without verifying the caller’s certificate chain, satisfying CWE‑295, or can replace a symlink during package installation to trigger the helper with elevated privileges, matching CWE‑367. Both paths grant full root access on the affected macOS system.

Affected Systems

The vulnerability applies to macOS installations of Cato Networks’ SDP Client running any version earlier than 5.13.1. No other vendors or operating system versions are mentioned in the CNA data.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate risk. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, so exploit activity is currently uncertain. The flaw requires local access, either during installation or by an authenticated user sending requests to the XPC service, and can be fully mitigated once the client is updated to a version that enforces proper certificate validation and removes the race condition.

Generated by OpenCVE AI on July 1, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cato Client to version 5.13.1 or later, which includes proper certificate validation and eliminates the TOCTOU race.
  • Reinstall the client after an upgrade to ensure the helper tool is installed with a valid system signature and any vulnerable symlinks are removed.
  • Delete any symlinks in the PrivilegedHelperTools directory that were created during the old installation or during the upgrade process and replace them with the correct binary from the updated package.

Generated by OpenCVE AI on July 1, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper certificate validation and a time-of-check time-of-use (TOCTOU) race condition in the PrivilegedHelperTool XPC service in Cato Client before v.5.13.1 on macOS allows a local authenticated attacker to escalate privileges to root via a self-signed certificate that bypasses the XPC caller verification and a symlink swap during package installation.
Title Improper XPC caller certificate validation and TOCTOU race condition in macOS PrivilegedHelperTool
Weaknesses CWE-295
CWE-367
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:U/V:C/RE:L/U:Amber'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Cato

Published:

Updated: 2026-07-01T15:07:24.153Z

Reserved: 2026-06-16T07:28:42.180Z

Link: CVE-2026-12374

cve-icon Vulnrichment

Updated: 2026-07-01T15:07:21.240Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T21:15:05Z

Weaknesses
  • CWE-295

    Improper Certificate Validation

  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition