CVE-2026-12374
Improper XPC caller certificate validation and TOCTOU race condition in macOS PrivilegedHelperTool
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Improper certificate validation and a time-of-check time-of-use (TOCTOU) race condition in the PrivilegedHelperTool XPC service in Cato Client before v.5.13.1 on macOS allows a local authenticated attacker to escalate privileges to root via a self-signed certificate that bypasses the XPC caller verification and a symlink swap during package installation.
| CWE | CWE-295 CWE-367 |
| Vendor | cato networks |
| Product | sdp client |
| Published | Jul 1, 2026 |
| Last Updated | Jul 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for cato networks sdp client
Be the first to know when new unknown vulnerabilities affecting cato networks sdp client are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Cato Networks / SDP Client
5.12.0 < 5.13.1