ExifTool, a ubiquitous open-source utility for reading and writing file metadata, is at the center of a severe security flaw affecting macOS environments.
Discovered by Kaspersky’s Global Research and Analysis Team (GReAT) in February 2026, CVE-2026-3102 allows threat actors to execute arbitrary shell commands by concealing malicious instructions within an image file’s metadata.
By weaponizing a seemingly benign photo, attackers can silently deploy Trojans, exfiltrate data, or establish a foothold for lateral movement across corporate networks.
The vulnerability stems from inconsistent input sanitization that allows tainted data to reach a dangerous execution sink.
During their analysis, researchers identified a flaw in the SetMacOSTags function. When ExifTool processes file creation dates on macOS, it utilizes the Spotlight system attribute MDItemFSCreationDate, which maps to the internal alias FileCreateDate.
When metadata is processed, the current tag’s text content is assigned to the $val variable. If the tag matches the file creation date attributes, this data flows directly into the SetMacOSTags function.
While the filename parameter is properly escaped before hitting the system() sink, the date value ($val) is left completely unsanitized.
This allows an attacker to inject single quotes, breaking the command structure and executing arbitrary shell commands with the privileges of the user running ExifTool.
Directly writing a malformed date payload into FileCreateDate fails because ExifTool’s built-in PrintConvInv filter detects and rejects invalid date/time formatting.
To bypass this, attackers must leverage the -n flag, which forces ExifTool to accept raw, unformatted machine-readable data, skipping the sanitization step entirely.
The exploitation sequence relies on ExifTool’s copy mechanisms:
DateTimeOriginal, using the -n flag.-tagsFromFile feature to copy the tainted metadata from the source tag into FileCreateDate.Because the vulnerable code path only triggers during a copy operation, not a direct write this sequence successfully forces the unsanitized input into the system() sink.
ExifTool invokes the macOS /usr/bin/setfile command, and the injected single quotes allow the payload to execute seamlessly via command substitution.
Following the disclosure, developers addressed the flaw in ExifTool version 13.50. The vulnerable 13.49 version relied on fragile string concatenation to build system commands.
The patch fundamentally alters this architecture by abstracting the system call into a dedicated System() wrapper.
Instead of executing a concatenated string, the application now passes a secure list of arguments to the system call. This transition from string-form to list-form execution completely eliminates shell interpretation risks and removes the need for manual escaping routines.
Organizations utilizing macOS for photo processing, asset management, or journalism workflows should implement the following defenses:
Powered by
