Cyber Resilience

CVE-2024-14032

HighPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 7.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-14032 is a high-severity Missing Authorization (CWE-862) vulnerability in Twitch Twitch Studio. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-14032 is a privilege escalation vulnerability in Twitch Studio version 0.114.8 and prior, stemming from an unprotected XPC service in its privileged helper tool. This flaw, classified under CWE-862 (Missing Authorization), enables local attackers to invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, resulting in arbitrary code execution as root and full system compromise. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Local attackers with low privileges (PR:L) can exploit the issue with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts across confidentiality, integrity, and availability. Exploitation requires only local access to the system running the affected Twitch Studio version, allowing attackers to escalate privileges to root and maintain persistent control.

Advisories referenced in VulnCheck and IRU publications detail the unprotected XPC service and potential for root-level file writes, while Twitch support pages cover related software topics. No patches are available, as Twitch Studio was discontinued in May 2024.

Security practitioners should prioritize uninstalling Twitch Studio from affected macOS systems, given the discontinuation and lack of vendor support.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite…

more

system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via exploitation of unprotected XPC privileged helper allowing file/binary overwrite for root code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32658Shared CWE-862
CVE-2026-6506Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2025-21396Shared CWE-862
CVE-2021-47701Shared CWE-862
CVE-2026-40349Shared CWE-862
CVE-2024-57726Shared CWE-862
CVE-2025-7665Shared CWE-862
CVE-2024-11936Shared CWE-862
CVE-2025-2815Shared CWE-862

Affected Assets

twitch
twitch studio
≤ 0.114.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege on the privileged helper tool to prevent low-privileged local attackers from invoking root-level XPC methods for privilege escalation.

prevent

Requires the unprotected XPC service to enforce approved authorizations, blocking unauthorized access to methods that enable system file overwrites.

prevent

Implements a reference monitor to mediate all accesses by the privileged helper tool, preventing exploitation of missing authorization in XPC services.

References