CVE-2025-4960

The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. It fails to properly authenticate clients over the XPC protocol and does not correctly enforce macOS’s authorization model, exposing privileged functionality to untrusted users. Although it invokes the AuthorizationCopyRights API, it does so using overly permissive custom rights that it registers in the system’s authorization database (/var/db/auth.db). These rights can be requested and granted by the authorization daemon to any local user, regardless of privilege level. As a result, an attacker can exploit the vulnerable service to perform privileged operations such as executing arbitrary commands or installing system components without requiring administrative credentials.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://pentraze.com/vulnerability-reports/
https://pentraze.com/vulnerability-reports/cve-2025-4960/

Configurations

No configuration.

History

No history.

Information

Published : 2026-02-19 07:17

Updated : 2026-02-19 15:53

NVD link : CVE-2025-4960

Mitre link : CVE-2025-4960

CVE.ORG link : CVE-2025-4960

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-4960", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "41c37e40-543d-43a2-b660-2fee83ea851a", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-02-19T07:17:38.137", "references": [{"url": "https://pentraze.com/vulnerability-reports/", "source": "41c37e40-543d-43a2-b660-2fee83ea851a"}, {"url": "https://pentraze.com/vulnerability-reports/cve-2025-4960/", "source": "41c37e40-543d-43a2-b660-2fee83ea851a"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "41c37e40-543d-43a2-b660-2fee83ea851a", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. It fails to properly authenticate clients over the XPC protocol and does not correctly enforce macOS\u2019s authorization model, exposing privileged functionality to untrusted users. Although it invokes the AuthorizationCopyRights API, it does so using overly permissive custom rights that it registers in the system\u2019s authorization database (/var/db/auth.db).\n\n\nThese rights can be requested and granted by the authorization daemon to any local user, regardless of privilege level. As a result, an attacker can exploit the vulnerable service to perform privileged operations such as executing arbitrary commands or installing system components without requiring administrative credentials."}, {"lang": "es", "value": "La herramienta com.epson.InstallNavi.helper, desplegada con el instalador del controlador de impresora EPSON, contiene una vulnerabilidad de escalada de privilegios local debido a m\u00faltiples fallos en su implementaci\u00f3n. No autentica correctamente a los clientes a trav\u00e9s del protocolo XPC y no aplica correctamente el modelo de autorizaci\u00f3n de macOS, exponiendo funcionalidad privilegiada a usuarios no confiables. Aunque invoca la API AuthorizationCopyRights, lo hace utilizando derechos personalizados excesivamente permisivos que registra en la base de datos de autorizaci\u00f3n del sistema (/var/db/auth.db).\n\nEstos derechos pueden ser solicitados y concedidos por el demonio de autorizaci\u00f3n a cualquier usuario local, independientemente del nivel de privilegio. Como resultado, un atacante puede explotar el servicio vulnerable para realizar operaciones privilegiadas, como ejecutar comandos arbitrarios o instalar componentes del sistema sin requerir credenciales administrativas."}], "lastModified": "2026-02-19T15:53:02.850", "sourceIdentifier": "41c37e40-543d-43a2-b660-2fee83ea851a"}