ExifTool that allows malicious image files to execute code on macOS systems discovered by Kaspersky’s Global Research and Analysis Team (GReAT) about the critical vulnerability tracked as CVE-2026-3102.The vulnerability which is triggered during the processing of malicious image files contains embedded shell commands within their metadata.

ExifTool, a popular open-source utility is used for reading and editing image metadata and is widely integrated into applications that includes photography, digital archiving, data analytics and reporting etc. Upon discovery of the vulnerability, the impacts were affecting thousands of macOS systems.

ExifTool & Exploits

Mostly ExifTool is used for supporting hundreds of file formats and being extremely flexible. ExifTool can be used as a command-line tool or integrated into other software via its open-source code.

ExifTool is actually often built directly into digital asset management platforms, image editors and automated processing scripts.

Threat actors can push malicious shell commands into fields such as DateTimeOriginal, which normally record when a photo was captured. The image then appears visually harmless, but in reality, its metadata hides code capable of compromising the system.

The attack only works under two conditions:

1. The target device must be running macOS.
2. ExifTool must process the file with the -n (or –printConv) flag enabled.

This mode bypasses standard data formatting and displays raw output. During this process, ExifTool accidentally interprets the crafted metadata as shell commands, enabling remote code execution.

Once triggered, these commands can download secondary payloads such as infostealers or Trojans from attacker-controlled servers. could send a seemingly legitimate imaghes may evade immediate detection.

Remediation:

To prevent exploitation, macOS users and administrators should immediately verify whether their systems or applications rely on ExifTool. Since ExifTool often runs invisibly within other software, such breaches may evade immediate detection.

• Check that macOS systems are using ExifTool version 13.50 or newer.
• Confirm that third-party software such as image organizers, photo editors, etc.
• Conduct a review of any automated image-processing scripts to ensure they reference the patched version.

ExifTool is quite popular and deeply integrated across multiple industries and once triggered, these commands can download secondary payloads such as infostealers or Trojans from attacker-controlled servers.

(Sources: CVE-2026-3102: macOS ExifTool image-processing vulnerability | Kaspersky official blog)