macOS VoiceOver TCC Bypass in ScreenReader.framework
CVE-2025-43530 is a macOS privacy/security vulnerability in Apple’s Transparency, Consent, and Control (TCC) enforcement path involving the VoiceOver accessibility stack, specifically ScreenReader.framework and the associated com.apple.scrod service. Public reporting indicates the vulnerable logic trusted Apple-signed clients too broadly and contained a time-of-check/time-of-use (TOCTOU) weakness in client validation. As a result, a local attacker could abuse the private VoiceOver API path, including by injecting a malicious dynamic library into a trusted Apple-signed process or modifying a process after validation but before use, to obtain access normally gated by TCC. Reported post-exploitation capabilities include arbitrary AppleScript execution, sending AppleEvents to other processes such as Finder, and access to protected resources including user files and microphone data without the expected consent prompts. Apple states the issue was addressed with improved checks and later reporting indicates the fix moved to entitlement-based validation requiring the com.apple.private.accessibility.scrod entitlement.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A macOS TCC bypass vulnerability that could let attackers abuse trusted Apple components to access protected files, microphone data, and other sensitive resources without user consent prompts.
A critical vulnerability in macOS allows attackers to bypass the Transparency, Consent, and Control (TCC) privacy framework, enabling silent access to sensitive files, microphone data, and user activity without user consent. The flaw stems from weaknesses in how macOS trusts certain Apple-signed system services and a TOCTOU issue, allowing code execution and AppleEvent manipulation without administrative privileges.
A vulnerability in macOS TCC (Transparency, Consent, and Control) allows bypassing privacy controls, exposing the system to unchecked automation.
A critical TCC (Transparency, Consent, and Control) bypass vulnerability in macOS VoiceOver (ScreenReader.framework) allows attackers to execute arbitrary AppleScript commands and access sensitive user data without user consent.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.