The vulnerability, dubbed "Sploitlight" and now patched as CVE-2025-31199, exploited Spotlight search plugins to circumvent Transparency, Consent, and Control (TCC) — Apple's fundamental privacy framework that prevents apps from accessing personal data without user permission.
Sophisticated Attack Vector
Microsoft Threat Intelligence discovered the flaw during proactive security research, finding that attackers could manipulate Spotlight importers (plugins ending in .mdimporter) to extract data from protected directories like Downloads and Pictures folders.
Unlike previous TCC bypasses, Sploitlight posed unprecedented risks by targeting Apple Intelligence caches containing facial recognition data, precise GPS coordinates, search histories, and photo metadata.
"The implications of this vulnerability are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence," Microsoft researchers explained in their technical analysis.
 |
| Sploitlight POC | Image- Microsoft |
The attack required no code signing and could be executed through simple file modifications, making it particularly dangerous. Attackers could deploy malicious Spotlight plugins to systematically leak file contents through system logs, effectively turning Apple's own indexing system against user privacy.
Cross-Device Privacy Breach
Perhaps most concerning, the vulnerability extended beyond individual devices. Due to iCloud synchronization, attackers accessing one macOS device could potentially gather intelligence about other linked devices, including iPhones sharing the same Apple ID.
The exposed data included timestamped location histories, face recognition clusters, deleted photo metadata, device information, and user activity patterns — creating comprehensive digital profiles of victims' lives.
Apple released security updates for macOS Sequoia, following Microsoft's coordinated disclosure. Users should immediately install these patches to protect against potential exploitation.
Microsoft has enhanced Defender for Endpoint to detect suspicious Spotlight operations, while security experts emphasize that this incident highlights the evolving sophistication of privacy-bypass techniques targeting modern operating systems.
The discovery underscores the critical importance of keeping systems updated and demonstrates how legitimate system features can become attack vectors in sophisticated threat campaigns.