A serious security flaw has been found in ExifTool, a popular open-source tool used to read and edit image file metadata.
Tracked as CVE-2026-3102, this vulnerability affects macOS systems and allows attackers to hide shell commands inside image files that silently execute when processed.
The discovery has raised alarms across industries that rely on automated image workflows, from forensic labs to large media organizations.
ExifTool has earned a strong reputation as the go-to solution for handling metadata across hundreds of file formats.
Photographers, digital archivists, forensic investigators, and data analysts all use it to extract details like GPS coordinates, camera settings, and timestamps embedded within image files.
Beyond individual use, its open-source library is deeply embedded within third-party tools such as photo management platforms and image automation software, including Exif Photoworker, MetaScope, and ImageIngester.
In large enterprises, ExifTool often runs silently through digital asset management systems, which makes the attack surface far broader.
Kaspersky researchers identified this vulnerability and reported it directly to ExifTool’s developer, Phil Harvey, who released a patch in version 13.50 shortly after being notified.
The team noted that this type of metadata-based attack vector is often missed by conventional security scanning, as most tools focus on file content rather than embedded metadata fields. Their findings reveal how a widely trusted everyday tool can quietly become a gateway for attackers targeting macOS environments.
When successfully exploited, this vulnerability gives attackers unauthorized access to the affected macOS system. From there, they can download and execute a remote payload, deploy Trojans, or drop infostealers designed to harvest sensitive data stored on the device.
What makes the attack especially unsettling is its near-invisibility — the malicious image can look perfectly normal and even serve a legitimate purpose, while the harmful shell commands run entirely out of sight.
The threat is particularly serious for organizations where images flow through automated pipelines daily — including forensics labs, newsrooms, legal offices, and medical imaging centers.
In these environments, files arrive from external sources regularly, and a single crafted image delivered through a routine submission channel could silently compromise an entire organization’s backend infrastructure.
The root of this exploit lies in how ExifTool on macOS handles the DateTimeOriginal field — a standard EXIF tag that normally stores when a photo was taken.
Attackers manipulate this field by recording it in an invalid format and embedding malicious shell commands within it. When ExifTool processes such a file in the -n mode, also known as the --printConv flag, it outputs data in a raw, unprocessed form.
This raw output bypasses the formatting step that would otherwise neutralize the hidden commands, causing them to be interpreted and executed directly by the macOS shell.
CVE details:-
| Field | Details |
|---|---|
| CVE ID | CVE-2026-3102 |
| Severity | Critical |
| CVSS Score | Critical (Exact score pending public disclosure) |
| CWE | CWE-78 — Improper Neutralization of Special Elements in OS Command |
| Affected Component | ExifTool (versions 13.49 and earlier) |
| Affected Platform | macOS |
| Vulnerable Field | DateTimeOriginal EXIF metadata field |
| Exploit Condition | -n / --printConv flag enabled during image processing |
| Impact | Remote code execution, Trojan/infostealer deployment, data theft |
| Patched Version | ExifTool 13.50 |
| Discovered By | Kaspersky GReAT (Global Research and Analysis Team) |
| Disclosure Date | March 2, 2026 |
| Fix Available | Yes — Update to ExifTool 13.50 immediately |
The -n flag is widely used across automated image processing pipelines because it produces clean, concise, machine-readable output — exactly the kind that enterprise workflows rely on.
This makes it a natural default in large-scale operations, which also means the two conditions needed to trigger the exploit — running on macOS with -n enabled — are commonly met together.
Without this flag, ExifTool renders the metadata output in a human-readable format, which unintentionally disrupts the exploit. But since machine-facing systems rarely use that display format, the flaw remains fully functional in most real-world deployments.
The ExifTool author has released version 13.50 to address CVE-2026-3102, and all users running version 13.49 or earlier must update immediately.
Organizations should audit all asset management platforms, photo processing applications, and custom scripts on macOS to confirm they are calling ExifTool 13.50 or later, and not running an embedded older copy of the library.
For added protection, images from untrusted or unknown sources should be processed in isolated virtual environments with restricted network access.
It is also advisable to continuously monitor open-source components used in internal workflows for newly disclosed vulnerabilities through dedicated supply chain tracking tools.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
