SuperDuper! Hit with Critical Vulnerability: CVE-2025-61229 Enables Root Privilege Escalation and Privacy Bypass on macOS

Overview

CVE-2025-61229 identifies a security vulnerability affecting Shirt Pocket’s SuperDuper! version 3.10 and earlier. This flaw allows a local attacker to potentially modify the default task template within the application. By doing so, the attacker can execute an arbitrary preflight script with root privileges and Full Disk Access. This effectively bypasses macOS’s built-in privacy controls, granting unauthorized access to sensitive system data.

Technical Details

The vulnerability stems from insufficient input validation or access control mechanisms within SuperDuper! related to the default task template. A local attacker, with sufficient permissions to modify application-related files (but not necessarily root privileges initially), can leverage this to insert malicious code into the preflight script configuration. Because SuperDuper! runs preflight scripts with elevated privileges to perform backup operations, the injected code is executed with root access and Full Disk Access, allowing complete system compromise.

CVSS Analysis

Currently, a CVSS score is not available (N/A) for CVE-2025-61229. This is likely due to the recent discovery of the vulnerability. However, given the potential for root privilege escalation and complete privacy bypass, the severity is anticipated to be Critical. A CVSS score, once assigned, will likely reflect this severity, potentially falling within the 9.0-10.0 range.

Possible Impact

The exploitation of CVE-2025-61229 can have severe consequences:

• Complete System Compromise: Attackers gain root access, allowing them to install malware, modify system files, and control the affected macOS system.
• Data Theft: Full Disk Access enables attackers to steal sensitive data, including user files, passwords, and confidential information.
• Privacy Breach: Bypassing macOS privacy controls allows unauthorized access to user data and system resources.
• Backdoor Installation: Attackers can install persistent backdoors for long-term access to the compromised system.

Mitigation and Patch Steps

The primary mitigation step is to update SuperDuper! to the latest version. Shirt Pocket has released version 3.11, which addresses this vulnerability.

1. Update SuperDuper!: Download and install the latest version (3.11 or later) from the official Shirt Pocket website: https://www.shirt-pocket.com/SuperDuper/SuperDuperDescription.html
2. Verify Update: Ensure that the installed version is 3.11 or later by checking the application’s “About” menu.
3. Monitor for Suspicious Activity: Keep an eye out for any unusual system behavior or unauthorized access attempts.

References

• Shirt Pocket Website
• SuperDuper! Description
• SuperDuper! Security Update v3.11