CVE-2025-13733 – BuhoNTFS version 1.3.2 contains an insecure XPC... (How to Fix)

Q: What is the severity of CVE-2025-13733?

CVE-2025-13733 has a CVSS score of 7.8 (HIGH). BuhoNTFS version 1.3.2 contains an insecure XPC service that allows local, unprivileged users to execute arbitrary code with root privileges. This affects macOS systems where BuhoNTFS is installed, enabling privilege escalation attacks.

📋 TL;DR

BuhoNTFS version 1.3.2 contains an insecure XPC service that allows local, unprivileged users to execute arbitrary code with root privileges. This affects macOS systems where BuhoNTFS is installed, enabling privilege escalation attacks.

💻 Affected Systems

Products:

BuhoNTFS

Versions: 1.3.2

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects standard installations of BuhoNTFS 1.3.2 on macOS systems.

📦 What is this software?

Buhontfs by Drbuho

View all CVEs affecting Buhontfs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root access to the system, allowing complete compromise, data theft, persistence installation, and lateral movement.

🟠

Likely Case

Local user or malware escalates privileges to install additional payloads, modify system files, or access protected data.

🟢

If Mitigated

Attack limited to local users with physical or remote access to the system; network services remain unaffected.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Any local user (including compromised accounts) can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is straightforward once local access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.drbuho.com/buhontfs

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. Uninstall vulnerable version. 3. Install patched version if available.

🔧 Temporary Workarounds

Uninstall BuhoNTFS

all

Remove the vulnerable software completely

sudo rm -rf /Applications/BuhoNTFS.app
sudo rm -rf ~/Library/Application\ Support/BuhoNTFS
sudo rm -rf /Library/LaunchDaemons/com.drbuho.buhontfs.plist

Disable XPC Service

all

Disable the vulnerable XPC service

sudo launchctl unload /Library/LaunchDaemons/com.drbuho.buhontfs.plist
sudo launchctl disable system/com.drbuho.buhontfs

🧯 If You Can't Patch

Restrict local user access to systems with BuhoNTFS installed
Implement strict privilege separation and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if BuhoNTFS version 1.3.2 is installed: ls /Applications/ | grep -i buhontfs

Check Version:

Check app bundle version or use: defaults read /Applications/BuhoNTFS.app/Contents/Info.plist CFBundleShortVersionString

Verify Fix Applied:

Verify BuhoNTFS is not installed or is updated to a version later than 1.3.2

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege escalation events
Processes running as root from non-privileged users
XPC service communication anomalies

Network Indicators:

Local privilege escalation typically has minimal network indicators

SIEM Query:

process where parent_process_name contains 'BuhoNTFS' and user_id changes from non-zero to 0

📊 Metadata

CVE ID: CVE-2025-13733

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

EPSS Score: 0.01% exploit probability (2.2th percentile)

Published: December 12, 2025

Last Updated: January 15, 2026

🔗 References

https://fluidattacks.com/advisories/greenday Exploit,Third Party Advisory
https://www.drbuho.com/buhontfs Product
https://www.drbuho.com/download/buhontfs.dmg
https://fluidattacks.com/advisories/greenday Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13733, you might also want to check these: