A vulnerability in macOS could have allowed attackers to bypass Apple’s Transparency, Consent, and Control (TCC) protections and access sensitive information, Microsoft says.
Tracked as CVE-2025-31199 and described as a logging issue, the flaw was addressed in March 2025 with the release of macOS Sequoia 15.4, iOS 18.4 and iPadOS 18.4, and visionOS 2.4.
“An app may be able to access sensitive user data. A logging issue was addressed with improved data redaction,” Apple’s advisory explains.
Microsoft, which reported the security defect, built a proof-of-concept (PoC) exploit named Sploitlight to demonstrate how Spotlight plugins, which are called importers, can be used to leak sensitive user information and file contents.
Spotlight is a built-in application in macOS that helps users quickly find content on a device by indexing it. The application relies on importers for further indexing, consuming data from index files saved locally.
Apple’s TCC technology is meant to prevent applications from accessing a user’s personal information, such as their Downloads and Pictures directories, location services, camera, and microphone, without their consent.
“The only legitimate method for an application to gain access to these services is through user approval via a popup prompt within the user interface or by granting per-app access in the operating system’s settings,” Microsoft explains.
Spotlight plugins, which have privileged access to sensitive files, are governed by heavy restrictions, but Microsoft discovered that they could be abused to exfiltrate the contents of well-defined file types, as well as other sensitive information.
“On modern macOS systems, Spotlight plugins are not even permitted to read or write any file other than the one being scanned. However, we have concluded that this is insufficient, as there are multiple ways for attackers to exfiltrate the file’s contents,” Microsoft explains.
An attacker with access to a device, Microsoft says, needs to modify the Spotlight plugins’ files declaring the file types to be processed, copy the modified bundle to the ~/Library/Spotlight directory, force Spotlight to use it, recursively scan files under the defined path and leak them, and then use the log utility to read the files’ contents.
Additionally, the tech giant explains, the security defect can be exploited to leak data that Apple Intelligence caches under various directories, such as the Pictures folder (where the files are protected by the ‘Pictures’ TCC service type).
An attacker could abuse the flaw to leak precise geolocation data, photo and video metadata, face and other recognition data, user activity and event context, photo albums and shared libraries, metadata of recently deleted items, image classification and object detection, and search history and user preferences.
According to Microsoft, an attacker could also extract remote information of other Apple devices that share the same iCloud account connected to the macOS system that the attacker has access to.
“The implications of this vulnerability are even more extensive given the remote linking capability between devices using the same iCloud account, enabling attackers to determine more remote information about a user through their linked devices,” Microsoft notes.
Related: Apple Patches Major Security Flaws in iOS, macOS Platforms
Related: Apple Quashes Two Zero-Days With iOS, macOS Patches
Related: Apple Patches Recent Zero-Days in Older iPhones
Related: AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover
