Apple has released a security update that stops a macOS flaw capable of exposing private files protected by Transparency Consent and Control (TCC). The vulnerability nicknamed Sploitlight exploited Spotlight importers to bypass TCC rules and leak data such as photo metadata, precise location history, and Apple Intelligence caches.
What is Sploitlight
Spotlight indexes files on a Mac to support fast searches. It uses small components called importers to read file contents and return metadata. Normally, these importers run in a sandbox and respect TCC restrictions that guard folders like Downloads, Desktop, and Pictures. Microsoft Threat Intelligence discovered that a malicious importer could log and exfiltrate file contents by writing them to system logs, then read them back without requiring elevated privileges.
Risks to Apple Intelligence and iCloud sync
Sploitlight could access more than static files. It also targeted caches used by Apple Intelligence, including note summaries, search preferences, and face recognition tags. Because iCloud sync links Macs, iPhones, and iPads, data stolen from one device might reveal information on others. Attackers with access to a single Mac could harvest sensitive details from a user’s entire Apple ecosystem.
Apple’s response and fix
Microsoft reported the issue early in 2025. Apple addressed it on March 31 in an update to macOS Sequoia. The patch appears under CVE‑2025‑31199. Apple’s security notes explain that the fix improved data redaction and tightened how Spotlight handles plugin requests. Users running macOS Sequoia 15.4 or later have received the update automatically if they keep software updates turned on.
How to protect your data
Users should install the latest macOS updates immediately, even if no irregular activity has appeared. Do not install an unsigned Spotlight plugin or software of unknown origin that asks for access to system folders. The administrators have the possibility to check logs to detect some indications of custom importers loaded using user directories. Maintaining all the devices on the latest operating system version helps in mitigating the chances of a potential attacker using previously unpatched vulnerabilities.
It is essential to make sure that all Apple devices connected to iCloud are safe. Any single hacked Mac may cause a wider data breach on the iPhone and iPad of a user. Check whether updates are installed successfully and activate privacy protection under System Settings on a regular basis. By blocking Sploitlight, Apple has tightened the integrity of Spotlight and has shielded the Apple Intelligence assets.
