New “Daemon Ex Plist” Vulnerability Gives Attackers Root Access on macOS

A critical vulnerability in macOS allows attackers to escalate privileges to root access through misconfigured daemon services. 

The vulnerability, dubbed “Daemon Ex Plist,” exploits weaknesses in how macOS handles service property list (plist) files and has been found to affect multiple popular VPN applications and other software.

Key Takeaways
1. macOS daemons left behind in /Library/LaunchDaemons/ with writable paths.
2. Impacts numerous VPN clients and other apps
3. Install privileged helper binaries and clean up daemon plist entries.

macOS Root Privilege Escalation

The vulnerability stems from the improper configuration of macOS daemon services that run with root privileges. 

When applications are installed, they create plist files in /Library/LaunchDaemons/ that define service configurations, including the path to executable files. 

The critical flaw occurs when these plist files reference executable paths that regular users can access or modify. The issue becomes exploitable when applications are uninstalled but leave their plist files behind. 

“If the developer does not manually remove the plist files from /Library/LaunchDaemons/, we can exploit this oversight,” PT SWARM reports.

The exploitation process involves creating a malicious executable at the path specified in the abandoned plist file. For example, a typical vulnerable plist might contain:

Attackers can then compile and deploy malicious code using commands like:

Affected Applications

The vulnerability has been confirmed in numerous popular applications, with VPN software being particularly susceptible due to their need for system-level access. 

Affected applications include Mozilla VPN (v2.28.0), Tunnelblick (7.1beta01 build 6220), Pritunl (1.3.4220.57), Cloudflare Warp, ExpressVPN, Amnezia VPN (4.8.6.0), Mullvad VPN (2025.7), and Red Shield VPN (3.5.7).

Beyond VPN applications, other software categories are also vulnerable, including OneDrive and Logitech G Hub. 

The researchers noted that “several other vendors are also vulnerable to this issue, and have not yet released a patch”.

To address this vulnerability, developers should relocate daemon executable files to /Library/PrivilegedHelperTools/, a directory that requires root privileges for write access. This prevents regular users from creating malicious files in these locations.

Users can check for potentially vulnerable services by examining files in /Library/LaunchDaemons/ using the command:

The vulnerability highlights the importance of proper cleanup during application uninstallation and secure path configuration for system services running with elevated privileges.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now