CVE-2018-4032
Description
An exploitable privilege escalation vulnerability exists in the way the CleanMyMac X software improperly validates inputs. An attacker with local access could use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CleanMyMac X 4.04 privilege escalation via improper input validation in helper tool allows local attackers to delete files as root.
Vulnerability
The vulnerability exists in CleanMyMac X version 4.04, which uses a privileged helper tool running as root. The moveItemAtPath function in the helper protocol passes user-supplied arguments to advancedMoveItemAtPath without validation. By supplying nil for the to_path argument, the file at at_path is deleted. There is no validation of the calling application, so any local process can invoke this function. [1]
Exploitation
An attacker with local access to the machine can exploit this vulnerability without authentication (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C). The attacker crafts a malicious application that calls the helper's moveItemAtPath function with a target file path and nil for to_path. Because the helper runs as root, the file is deleted with root privileges. The advisory includes a proof-of-concept Xcode project and Python script. [1]
Impact
Successful exploitation allows an attacker to delete arbitrary files on the root file system as root, escalating privileges from a non-root user to root-level file deletion. The integrity impact is high (CWE-19, CVSS integrity high). While no direct confidentiality or availability impact is specified, deletion of critical system files could lead to denial of service. [1]
Mitigation
No fix has been disclosed in the available references. Users should contact the vendor (MacPaw) for updates and monitor for patched versions of CleanMyMac X. The tested version is 4.04; later versions may have addressed the issue. No workaround is provided. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in the moveItemAtPath function of the privileged helper tool allows a nil to_path argument, causing unintended file deletion as root."
Attack vector
An attacker with local access sends a crafted message to the privileged helper tool's moveItemAtPath function, supplying nil in the to_path argument [ref_id=1]. Because the helper tool runs as root and performs no validation of the calling application, any local process can invoke this function [ref_id=1]. The nil to_path causes the underlying advancedMoveItemAtPath:toPath:error: call to delete the file at the source path instead of moving it [ref_id=1]. This crosses a privilege boundary, allowing a non-root user to delete arbitrary files from the root file system [ref_id=1].
Affected code
The vulnerability is in the moveItemAtPath function of the privileged helper tool's protocol [ref_id=1]. The function passes a user-supplied at_path and to_path directly to advancedMoveItemAtPath:toPath:error: without validating that to_path is non-nil [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the vendor patched the vulnerability on 2018-12-27 [ref_id=1]. The fix would need to add validation of the to_path argument in the moveItemAtPath function to reject nil or otherwise ensure the helper tool only performs operations authorized by the calling application [ref_id=1]. Without such validation, any local application can abuse the privileged helper to delete root-owned files [ref_id=1].
Preconditions
- authNo authentication required beyond local access to the machine.
- networkNo network access needed; attacker must have local access.
- inputAttacker must be able to send messages to the privileged helper tool's moveItemAtPath function with a nil to_path argument.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2018-0705mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.