macOS Sploitlight Flaw Exposes Apple Intelligence-Cached Data to Attackers
A newly disclosed macOS vulnerability is allowing attackers to bypass Apple’s privacy controls and access sensitive user data, including files cached by Apple Intelligence. Tracked as CVE-2025-31199, the flaw was identified by Microsoft Threat Intelligence and involves a method that abuses Spotlight plugins to leak protected files.
Microsoft Threat Intelligence, which originally spotted the vulnerability, revealed the flaw and dubbed the exploit “Sploitlight” due to its abuse of Spotlight plugins. While Apple has already released a patch, the technical method behind the exploit should be concerning for macOS users, especially those using Apple’s latest AI-powered features.
It all starts with how Spotlight, macOS’s built-in search tool, handles plugins known as importers. These are designed to help index content from specific apps like Outlook or Photos.
Microsoft researchers found that attackers could modify these importers to scan and leak sensitive data from TCC-protected locations like Downloads and Pictures, even without the user’s permission. The trick? Logging file contents in chunks through the system log, then quietly retrieving them.
However, according to the company’s blog post, it gets worse. Apple Intelligence, installed by default on all ARM-based Macs, stores caches containing geolocation data, photo and video metadata, recognised faces, and even search history.
This information, protected under TCC (Transparency, Consent, and Control) rules, is typically out of reach to apps without user consent. But using Sploitlight, attackers can pull this data directly from the caches, bypassing the system’s consent mechanisms entirely.
Microsoft’s proof-of-concept shows a clear step-by-step process attackers could use to exploit the flaw. By modifying the metadata of a Spotlight plugin, placing it in a specific directory, and triggering a scan, attackers can tap into sensitive folders without ever requesting access. And because these plugins don’t need to be signed, no compilation is necessary. A few tweaks to a text file are all it takes.
Apple’s patch, released in March 2025 for macOS Sequoia, addresses this flaw. Microsoft thanked Apple’s security team for cooperating under Coordinated Vulnerability Disclosure and urged users to install the updates without delay.
The impact goes further than the mechanics of the exploit and affects real user data. Since metadata and facial recognition information sync across Apple devices via iCloud, attackers exploiting a single Mac could also gain indirect insights into iPhones or iPads linked to the same account.
This isn’t the first TCC bypass Apple has dealt with. Earlier examples like powerdir and HM-Surf relied on different system components, but Sploitlight’s use of Spotlight importers makes the attack both subtle and effective. It blurs the lines between trusted operating system components and what can be injected from user-controlled sources.
If you use a Mac, especially one with Apple Intelligence features active, make sure your system is up to date. The fix for CVE-2025-31199 is live and available, and applying it closes off this very specific way of data theft.
