Full Report
TCC Bypass vulnerability has been found in three macOS applications: Poedit (CVE-2025-4280), Viscosity (CVE-2025-4412), DaVinci Resolve (CVE-2025-4081)
Analysis Summary
# Vulnerability: TCC Bypass in Multiple macOS Applications (Poedit, Viscosity, DaVinci Resolve)
## CVE Details
This summary covers three distinct vulnerabilities related to TCC (Transparency, Consent, and Control) bypass mechanisms on macOS. No specific CVSS scores were provided in the source material.
| CVE ID | Product Affected | Severity (Inferred) | CWE |
| :--- | :--- | :--- | :--- |
| CVE-2025-4280 | Poedit | Not Specified | CWE-276 (Incorrect Default Permissions) |
| CVE-2025-4412 | Viscosity | Not Specified | CWE-276 (Incorrect Default Permissions) |
| CVE-2025-4081 | DaVinci Resolve | Not Specified | CWE-276 (Incorrect Default Permissions) |
## Affected Systems
- **Products:** Poedit, Viscosity, DaVinci Resolve
- **Versions:**
- **Poedit:** Versions from 2.0 up to, but not including, 3.6.3.
- **Viscosity:** All versions through 1.11.4.
- **DaVinci Resolve:** All versions (19.1.3 was the last tested version).
- **Configurations:** macOS systems where the applications are installed and permitted prior TCC access by the user.
## Vulnerability Description
The core vulnerability across these three applications stems from weaknesses in how they handle bundled components or dynamic libraries on macOS, allowing an attacker with local access to leverage the application's existing, user-granted Transparency, Consent, and Control (TCC) permissions to access sensitive user files without triggering new privacy prompts.
* **Poedit (CVE-2025-4280):** The bundled Python interpreter inherits the TCC permissions granted to the main application bundle. An attacker can invoke this interpreter to run arbitrary commands/scripts and access files protected by TCC.
* **Viscosity (CVE-2025-4412):** Exploits a Launch Agent mechanism (`viscosity_openvpn` process) to load a dynamic library using Viscosity's TCC identity, thereby accessing user-granted file permissions.
* **DaVinci Resolve (CVE-2025-4081):** The combination of using the entitlement `com.apple.security.cs.disable-library-validation` and lacking proper launch/library load constraints permits an unprivileged local attacker to substitute a legitimate dynamic library (dylib) with a malicious one, bypassing TCC checks for previously granted permissions.
In all cases, access to resources *beyond* the permissions already granted (e.g., camera, microphone, or totally new file areas) will still trigger a standard macOS system prompt asking for approval in the name of the affected application.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild, but PoCs (implied by the nature of the report and technical details) are likely available or easily constructed given the successful local context.
- **Complexity:** Low/Medium (Requires local, unprivileged user access, but the mechanism seems procedural once access is obtained).
- **Attack Vector:** Local.
## Impact
- **Confidentiality:** High (If the application previously had access to sensitive user files like documents or photos, the attacker can exfiltrate this data without a new prompt).
- **Integrity:** Medium (The attacker can potentially modify files within the scope of the granted TCC permissions).
- **Availability:** Low (No indication of denial of service, focus is on data access).
## Remediation
### Patches
- **Poedit:** Upgrade to version **3.6.3** or later.
- **Viscosity:** Upgrade to version **1.11.5** or later.
- **DaVinci Resolve:** Contact **Blackmagic Design** for specific version information, as the report states "All" versions are affected, implying the fix will be in a forthcoming update.
### Workarounds
No specific workarounds were detailed in the summary, other than immediate patching. A general principle would be to revoke TCC permissions granted to these applications if they are not actively needed, limiting the scope of the potential TCC bypass.
## Detection
- **Indicators of Compromise:** Monitoring for abnormal process behavior associated with the legitimate application binaries (e.g., Poedit invoking system shells or Python interpreters in unexpected ways, or unusual dynamic library loading patterns for Viscosity/DaVinci Resolve).
- **Detection methods and tools:** Standard Endpoint Detection and Response (EDR) systems monitoring for unauthorized execution contexts stemming from signed application bundles that attempt to access otherwise protected directories.
## References
- Vendor advisories are not explicitly linked by CVE ID, but contact should be made with Poedit, SparkLabs (Viscosity), and Blackmagic Design (DaVinci Resolve).
- Relevant links - defanged:
- hxxps://incydent.cert.pl/#!/lang=en
- hxxps://cert.pl/en/cvd/