Cyber Resilience

CVE-2026-24066

High

Published: 10 June 2026

Published
10 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 2.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24066 is a high-severity Improper Following of a Certificate's Chain of Trust (CWE-296) vulnerability in Sec Consult (inferred from references). Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Code Signing (T1553.002); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU value of the client's signing certificate and does not verify that…

more

the certificate chains to a trusted code-signing authority. A local attacker can sign a malicious client with a self-signed certificate containing the expected organizational unit value and connect to the privileged XPC service. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1553.002 Code Signing Defense Impairment
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
Why these techniques?

Vulnerability directly bypasses code-signing certificate chain validation, enabling attacker to connect with self-signed code and abuse privileged XPC service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Sec Consult
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-296

Requires only approved trust anchors in stores, ensuring proper chain-of-trust validation rather than arbitrary or incomplete paths.

References