Microsoft Warns of New ‘SploitLight’ Vulnerability in macOS

In a new blog post, Microsoft Threat Intelligence has announced the discovery of a new macOS vulnerability, that leverages Spotlight plugins to bypass Apple’s Transparency, Consent and Control (TCC) framework, putting private content at risk.

Dubbed SploitLight and tracked as CVE‑2025‑31199, the flaw allows hackers to extract highly sensitive information safely cached by Apple Intelligence. This includes exact geolocation data, personal photo and video metadata, face and person recognition results, search histories, and individual user preferences.

Apple’s TCC is responsible for preventing unauthorized access to sensitive data, such as the camera, microphone, and protected folders, unless explicit user consent is granted via system prompts. But SploitLight circumvents these safeguards without alerting the user.

And because Spotlight integrates with iCloud, the risk extends beyond a single device. Attackers who exploit SploitLight on one macOS system may be able to glean information about other devices linked to the same iCloud account, creating wider potential exposure.

Microsoft indicates the vulnerability is more severe than earlier bypass groups. For example, HM‑Surf exploited the Safari directory and powerdir manipulated file entitlements—both limited by scope. SploitLight, by contrast, can access a broader range of private data and operate across shared iCloud data stores.

Microsoft has already coordinated disclosure of this flaw with Apple. While there’s no public announcement yet from Apple, users are strongly advised to install the latest macOS security updates as soon as they become available.

Security teams using Microsoft Security Copilot can deploy automated playbooks in response to SploitLight incidents. These tools help defenders spot anomalous Spotlight plugin activity and investigate potential TCC breaches with greater speed and precision.