CVE-2026-26225

EUVD-2026-6164

12.02.2026, 22:16

Intego Personal Backup, a macOS backup utility that allows users to create scheduled backups and bootable system clones, contains a local privilege escalation vulnerability. Backup task definitions are stored in a location writable by non-privileged users while being processed with elevated privileges. By crafting a malicious serialized task file, a local attacker can trigger arbitrary file writes to sensitive system locations, leading to privilege escalation to root.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

https://blog.quarkslab.com/intego_lpe_macos_1.html

https://integosupport.zendesk.com/hc/en-us/articles/40945636077467-Personal-Backup-X9-Release-Notes

https://www.intego.com/

https://www.intego.com/bootable-mac-backups

https://www.vulncheck.com/advisories/intego-personal-backup-task-file-privilege-escalation