A serious security flaw in macOS, identified as CVE-2025-31199 and dubbed “Sploitlight,” has been disclosed by Microsoft’s Threat Intelligence team. This vulnerability, now patched by Apple, targeted the Spotlight search engine’s plugin system and exposed sensitive user data, including information cached by the latest Apple Intelligence features.
Technical Details and Exploit Mechanism
Sploitlight exploited the way Spotlight indexed and processed plug-in data, enabling malicious applications to inject custom plugins or manipulate existing ones. Once indexed, these compromised plugins bypassed Apple’s Transparency, Consent, and Control (TCC) privacy protections. As a result, attackers were granted unauthorized read access to files and metadata that should have been protected by user consent mechanisms.
Among the most concerning implications was the ability to access sensitive data including:
- Geolocation coordinates
- Media, photo, and video metadata
- Facial and object recognition information
- AI-driven email summaries and notes
- User search history and preferences
- Metadata about other devices connected via iCloud
The attack was not limited to locally stored data. Due to integration with iCloud, intelligence metadata synchronized from other Apple devices—such as an iPhone—could also be exposed if an attacker gained access to one Mac.
Severity and Industry Implications
While past vulnerabilities have bypassed TCC protections, Sploitlight was distinguished by its broad scope and the volume of data at risk. The flaw particularly highlighted the challenges that surface when AI-powered features, like Apple Intelligence, aggregate large amounts of personal information. The vulnerability’s potential to reveal metadata about externally synced devices raised grave privacy and security concerns for both consumers and enterprises.
Vulnerability Discovery and Responsible Disclosure
Microsoft’s Threat Intelligence researchers uncovered and documented the Sploitlight vulnerability, coordinating disclosure under industry best practices. Apple responded by developing and releasing a fix in macOS Sequoia 15.4, which became available on March 31, 2025. As of the patch release, there was no public evidence of widespread exploitation in the wild.
Recommendations for Users and IT Professionals
All macOS users are urged to update their systems to at least macOS Sequoia 15.4 or newer to mitigate risk. In addition, users should audit the permissions granted to applications and plugins, exercise caution with software sourced from third parties, and ensure consistent security hygiene throughout their device ecosystem.
Key Facts Table: Sploitlight Vulnerability
| Attribute | Detail |
|---|---|
| Vulnerability Name | Sploitlight |
| CVE Number | CVE-2025-31199 |
| Affected Feature | Spotlight search plugin indexing |
| Exploitable | Yes, through malicious plugins bypassing TCC |
| Data Exposed | Apple Intelligence cache, geolocation, metadata, search history, iCloud-synced device info |
| Patch Released | March 31, 2025 (macOS Sequoia 15.4) |
| Disclosed by | Microsoft Threat Intelligence |
| Status | No known widespread exploitation before patch; fix available |
