CVE-2025-69604 – This vulnerability in SuperDuper! backup softwa... (How to Fix)

Q: What is the severity of CVE-2025-69604?

CVE-2025-69604 has a CVSS score of 7.8 (HIGH). This vulnerability in SuperDuper! backup software allows local attackers to modify task templates to install arbitrary packages with root privileges and Full Disk Access. This bypasses macOS privacy controls like TCC (Transparency, Consent, and Control). Users of SuperDuper! 3.11 and earlier on macOS are affected.

📋 TL;DR

This vulnerability in SuperDuper! backup software allows local attackers to modify task templates to install arbitrary packages with root privileges and Full Disk Access. This bypasses macOS privacy controls like TCC (Transparency, Consent, and Control). Users of SuperDuper! 3.11 and earlier on macOS are affected.

💻 Affected Systems

Products:

SuperDuper!

Versions: 3.11 and earlier

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access to the system. SuperDuper! must be installed and configured with task templates.

📦 What is this software?

Superduper\! by Shirt Pocket

View all CVEs affecting Superduper\! →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level persistence, data exfiltration, and bypass of all macOS security controls including FileVault, TCC, and SIP.

🟠

Likely Case

Local privilege escalation leading to installation of backdoors, keyloggers, or data theft from protected areas of the filesystem.

🟢

If Mitigated

Limited impact if proper application sandboxing and least privilege principles are enforced, though TCC bypass remains significant.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is straightforward once access is obtained. The vulnerability involves modifying configuration files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.12

Vendor Advisory: https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_v312_now_available

Restart Required: No

Instructions:

1. Download SuperDuper! 3.12 from shirt-pocket.com. 2. Install the update. 3. Verify the version shows 3.12 or later in About SuperDuper!.

🔧 Temporary Workarounds

Remove SuperDuper! task templates

all

Delete or secure SuperDuper! task template files to prevent modification.

rm ~/Library/Application\ Support/SuperDuper!/Scheduled\ Copies/*.sdsp

Restrict local access

all

Limit physical and remote local access to vulnerable systems.

🧯 If You Can't Patch

Uninstall SuperDuper! 3.11 and earlier completely
Implement strict file permissions on SuperDuper! configuration directories

🔍 How to Verify

Check if Vulnerable:

Check SuperDuper! version in About SuperDuper! menu. If version is 3.11 or earlier, system is vulnerable.

Check Version:

defaults read /Applications/SuperDuper!.app/Contents/Info.plist CFBundleShortVersionString

Verify Fix Applied:

Verify version is 3.12 or later in About SuperDuper! menu.

📡 Detection & Monitoring

Log Indicators:

Unauthorized modifications to SuperDuper! task template files
Unexpected package installations with root privileges

Network Indicators:

Unusual outbound connections following local privilege escalation

SIEM Query:

process_name="installer" AND parent_process="SuperDuper!" AND NOT signed_by="Apple"

📊 Metadata

CVE ID: CVE-2025-69604

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

EPSS Score: 0.01% exploit probability (1.6th percentile)

Published: January 29, 2026

Last Updated: February 13, 2026

🔗 References

http://shirt.com Broken Link
https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html Product
https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_v312_now_available Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69604, you might also want to check these: