CVE-2025-69604

High

Published: 29 January 2026

Published

29 January 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 3.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69604 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Shirt-Pocket Superduper\!. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation requires applying the vendor-patched SuperDuper! v3.1.2, directly eliminating the vulnerability in task template handling.

CM-6 Configuration Settings good match

prevent

Configuration settings control enforces secure default permissions on the task template, preventing low-privilege local attackers from modifying it.

CM-11 User-installed Software good match

prevent

User-installed software restrictions prohibit or monitor installation of arbitrary packages that could execute root-privileged shell scripts via the exploited template.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Local template modification enables root-level Unix shell execution and privilege escalation via CWE-276 flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy…

controls.

Deeper analysisAI

CVE-2025-69604 affects Shirt Pocket's SuperDuper! version 3.11 and earlier, a macOS backup utility. The vulnerability stems from an issue allowing a local attacker to modify the default task template, enabling the installation of an arbitrary package. This package can execute shell scripts with root privileges and Full Disk Access, bypassing macOS privacy controls. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-276 (Incorrect Default Permissions).

A local attacker with low privileges (PR:L) can exploit this with low attack complexity and no user interaction required. Exploitation involves altering the task template to deploy a malicious package, granting the attacker the ability to run arbitrary shell scripts under root privileges with Full Disk Access. This results in high impacts on confidentiality, integrity, and availability, potentially allowing full system compromise.

Shirt Pocket references, including their blog post announcing SuperDuper! v3.1.2 availability (https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_v312_now_available), indicate that updating to this version mitigates the vulnerability. Practitioners should direct users to the vendor's site (http://shirt.com or https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html) for the patched release and verify installations.