Description
Intego Personal Backup, a macOS backup utility that allows users to create scheduled backups and bootable system clones, contains a local privilege escalation vulnerability. Backup task definitions are stored in a location writable by non-privileged users while being processed with elevated privileges. By crafting a malicious serialized task file, a local attacker can trigger arbitrary file writes to sensitive system locations, leading to privilege escalation to root.
Published: 2026-02-12
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

Intego Personal Backup, a macOS backup utility, contains a local privilege escalation flaw. Backup task definitions are stored in a directory writable by non‑privileged users, while the system processes those files with elevated privileges. A local attacker who can create or modify a serialized task file can induce the backup engine to write arbitrary files to critical system locations, thereby gaining root access. The weakness stems from improper validation or sanitization of user supplied data (CWE‑59).

Affected Systems

The vulnerability affects the Intego Personal Backup application; specific version details are not disclosed in the available data. The issue is relevant to any installations that utilize the backup task feature on macOS.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local user access and the ability to create or alter backup task files in the writable directory, after which the backup engine—running as root—processes the malicious file and performs arbitrary file writes.

Generated by OpenCVE AI on April 16, 2026 at 06:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the permissions of the directory where backup task definitions are stored so that only privileged users can write to it.
  • Disable or delete any unneeded or unused backup tasks that allow privileged execution of user‑supplied tasks.
  • Regularly monitor the task definition directory for unexpected changes and investigate promptly.
  • Apply any vendor‑issued update to Intego Personal Backup that addresses the privilege escalation when it becomes available.

Generated by OpenCVE AI on April 16, 2026 at 06:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Intego
Intego personal Backup
Vendors & Products Intego
Intego personal Backup

Fri, 13 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description Intego Personal Backup, a macOS backup utility that allows users to create scheduled backups and bootable system clones, contains a local privilege escalation vulnerability. Backup task definitions are stored in a location writable by non-privileged users while being processed with elevated privileges. By crafting a malicious serialized task file, a local attacker can trigger arbitrary file writes to sensitive system locations, leading to privilege escalation to root.
Title Intego Personal Backup Task File Privilege Escalation
Weaknesses CWE-59
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Intego Personal Backup
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:16.931Z

Reserved: 2026-02-11T20:08:07.945Z

Link: CVE-2026-26225

cve-icon Vulnrichment

Updated: 2026-02-13T15:48:26.238Z

cve-icon NVD

Status : Deferred

Published: 2026-02-12T22:16:07.477

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:00:10Z

Weaknesses