A newly disclosed vulnerability in ExifTool, tracked as CVE-2026-3102, exposes macOS systems to command execution attacks through malicious image metadata, highlighting ongoing risks in widely used file processing tools.
ExifTool is a popular utility used across media workflows to read and write metadata in images, PDFs, and multimedia files.
Its flexibility and integration into automation pipelines make it a critical component in many environments.
The vulnerability builds on lessons from a previous vulnerability, CVE-2021-22204, which also involved improper input sanitization.
In the newly discovered issue, the root cause lies in how ExifTool handles metadata fields related to file creation dates on macOS.
Specifically, the vulnerability is triggered when metadata values associated with the FileCreateDate or MDItemFSCreationDate tags are processed without proper sanitization.
At a technical level, the issue stems from unsafe handling of user-controlled input reaching a sensitive function.
However, security researchers from Kaspersky’s Global Research and Analysis Team (GReAT) identified a vulnerability in February 2026 that allows attackers to embed malicious commands inside image metadata and execute them when processed on macOS systems running ExifTool version 13.49 or earlier.
ExifTool internally constructs a system command using multiple variables, including a metadata value extracted directly from the file.
While most inputs are sanitized, the date value remains unfiltered in a specific execution path. This value is then passed into a system() call, allowing attackers to inject shell commands by manipulating metadata fields.
Exploitation requires the use of the -n flag, which instructs ExifTool to process raw metadata values without applying its usual formatting and validation checks.
This flag effectively bypasses internal protections, enabling attackers to store malicious payloads in metadata fields such as DateTimeOriginal.
These values can later be copied into the FileCreateDate field using the -tagsFromFile feature, triggering the vulnerable code path and executing the embedded command.
For example, an attacker can craft a seemingly harmless image containing a manipulated timestamp field.
The full $cmd value before the injection, I have added the debugging statement to displaying the actual command that is executed within the system function.

When a macOS user processes this image with ExifTool using the vulnerable workflow, the hidden payload is executed through the system shell.
This can result in arbitrary command execution with the privileges of the user running the tool, potentially leading to malware deployment, data exfiltration, or lateral movement within a network.
The attack is particularly concerning for organizations that rely on automated image processing pipelines, digital asset management systems, or newsroom environments where large volumes of media files are handled.
Since the malicious content resides in metadata, the file itself may appear completely legitimate and evade traditional security checks.
ExifTool developers addressed the vulnerability in version 13.50 by redesigning how system commands are executed. Instead of building commands as concatenated strings, which are prone to injection, the patched version uses argument-based system calls.
This approach eliminates shell interpretation risks by passing parameters directly, preventing attackers from injecting arbitrary commands. Additionally, a dedicated wrapper function was introduced to securely manage system execution and output handling.
Users and organizations are strongly advised to update to ExifTool version 13.50 or later immediately. It is also important to verify that no embedded or outdated versions of the tool exist within third-party applications or internal scripts.
Processing untrusted files in isolated environments, such as sandboxes or virtual machines, can further reduce exposure.
CVE-2026-3102 underscores a persistent security challenge in software design: improper input validation combined with unsafe command execution patterns. Even mature and widely trusted tools can introduce critical risks when handling untrusted data.
This case reinforces the importance of secure coding practices, particularly avoiding string-based command construction in favor of safer execution methods.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

