Connect with us

Hi, what are you looking for?



Perimeter81 Vulnerability Disclosed After Botched Disclosure Process

Cybersecurity firm Perimeter81 appears to have botched the responsible disclosure process for a privilege escalation vulnerability found in its macOS application.

Network security company Perimeter81 apparently needs to improve its responsible disclosure process for vulnerabilities found in its products.

Cybersecurity researcher Erhad Husovic published a blog post in late June to disclose the details of a local privilege escalation vulnerability discovered in Perimeter81’s macOS application. 

The researcher said the privilege escalation exploit leverages a misconfigured XPC service along with a command injection vulnerability. Exploitation allows an attacker to execute arbitrary commands with root privileges. 

Husovic said at the time that he had first reported his findings to Perimeter81 in mid-March. The vendor was then contacted four more times, but the researcher claimed he only received one response saying that the issue was ‘wrongly sidetracked’.

The security hole was then reported by the researcher to the Vulnerability Information and Coordination Environment (VINCE) at the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. 

CERT/CC published its own advisory for the vulnerability, which is tracked as CVE-2023-33298, after failing to get a response from the vendor.

“At the time, the latest Perimeter81 MacOS application ( suffers from local privilege escalation vulnerability inside its com.perimeter81.osx.HelperTool. This HelperTool allows main application to setup things which require administrative privileges such as VPN connection, changing routing table, etc,” CERT/CC said in its advisory. 

Advertisement. Scroll to continue reading.

It added, “By combining insufficient checks of an XPC connection and creating a dictionary with the key ‘usingCAPath’ a command can be appended within that value to be run with administrative privileges.”

The researcher decided to disclose the vulnerability, along with a proof-of-concept (PoC) exploit, more than three months after the initial disclosure. The flaw does not appear to have been patched.

SecurityWeek reached out to Perimeter81 for comment several days before this article was published, but received no response.

The flaw does not seem critical as its exploitation requires access to the targeted system. However, it shows that even cybersecurity companies can botch the vulnerability disclosure process. 

Related: SonicWall Patches Critical Vulnerabilities in GMS, Analytics Products

Related: Trend Micro Patches Another Apex One Vulnerability Exploited in Attacks

Related: Sophos Firewall Zero-Day Exploited in Attacks on South Asian Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.