Securelist via Reddit

Kaspersky details ExifTool macOS RCE via image metadata

cybersecurity apple cybersecurity vulnerability

Key insights

  • CVE-2026-3102 abuses ExifTool's -n flag to bypass date validation, enabling shell execution via the DateTimeOriginal metadata field.
  • ExifTool versions 13.49 and earlier are vulnerable; version 13.50 released in February 2026 closes the gap.
  • Exploitation requires no elevated privileges, making full macOS user-level compromise achievable through a single crafted image file.

Why this matters

Automated image-processing pipelines are deeply embedded in CI/CD workflows, media platforms, and developer tooling, meaning a single unpatched ExifTool instance handling user-supplied images is a lateral movement entry point into production infrastructure. The -n flag requirement narrows the attack surface but is common in scripted metadata-extraction workflows, making many pipelines specifically vulnerable without operators realizing it. Kaspersky's publication of the full attack chain raises the probability of in-the-wild exploitation attempts against organizations that have not yet confirmed their ExifTool versions post-February 2026.

Summary

Kaspersky's GReAT team has published a deep technical breakdown of CVE-2026-3102, an ExifTool vulnerability that lets attackers execute arbitrary shell commands on macOS by embedding malicious payloads inside ordinary image files. The attack vector is the DateTimeOriginal EXIF field. When ExifTool processes an image using the -n flag, it skips the tool's built-in date-validation filter, allowing a crafted string in that field to trigger shell execution at the user's privilege level. No elevated rights are required for full system compromise. Essentially: (Kaspersky GReAT, ExifTool maintainers) the patch is available, but detection across active pipelines is the gap that remains open. - ExifTool 13.49 and earlier are affected; version 13.50, released February 2026, contains the fix. - The -n flag is the critical enabler: any pipeline using it for numeric output mode is specifically at risk if untrusted images enter the workflow. - The writeup's attack chain detail is aimed squarely at defenders auditing automated image-processing pipelines, not end users. Any production pipeline ingesting untrusted images and invoking ExifTool with -n is still exploitable if the February patch has not been applied.

Potential risks and opportunities

Risks

  • Image-processing SaaS platforms (Cloudinary, Imgix, self-hosted Thumbor deployments) that have not upgraded past 13.49 remain exposed to remote code execution via user-uploaded images through mid-2026
  • CI/CD pipelines at software studios, media companies, and journalism organizations could be compromised through poisoned image assets submitted in pull requests, bypassing code-review controls entirely
  • Kaspersky's public attack chain detail gives threat actors a near-complete exploitation recipe, compressing the window between publication and weaponized tooling appearing in commodity attack frameworks

Opportunities

  • Supply-chain security vendors (Snyk, Trivy, Grype) can add ExifTool version and -n flag detection to pipeline scanning rules, capturing budget unlocked by this disclosure at media-heavy enterprises
  • Managed DevSecOps platforms (Chainguard, Anchore) have a narrow window to offer ExifTool-specific SBOM verification and patch attestation services before the story fades from incident-response queues
  • macOS-focused endpoint detection vendors (CrowdStrike Falcon for Mac, SentinelOne) can publish and distribute ExifTool exploitation indicators of compromise, strengthening detection library coverage and competitive positioning in creative-industry verticals

What we don't know yet

  • Whether mainstream macOS image applications (Adobe Lightroom, Capture One, Apple Photos) invoke ExifTool with -n internally and whether their vendors have confirmed patched dependencies
  • No telemetry or threat actor attribution provided: whether CVE-2026-3102 was exploited in the wild before the February 2026 patch remains publicly unconfirmed
  • Whether cloud image-processing services (AWS, Google Cloud Vision, Cloudflare Images) that call ExifTool as an upstream dependency have verified they are running 13.50 or later

Originally reported by Securelist

Read the original article →

Original headline: Securelist Publishes Deep Technical Analysis of ExifTool CVE-2026-3102 — Arbitrary Command Execution on macOS via Malicious Image Metadata