Security researchers at Kaspersky's Global Research and Analysis Team have disclosed CVE-2026-3102, a critical vulnerability in ExifTool that allows attackers to execute arbitrary commands on macOS systems by hiding malicious code inside image file metadata. The flaw affects ExifTool version 13.49 and earlier, a widely used utility for reading and writing metadata in images, PDFs, audio, and video files. The vulnerability was discovered in February 2026 and patched by developers within the same month.

The vulnerability stems from improper input sanitization in ExifTool's SetMacOSTags function, which handles macOS file creation dates. When processing images, ExifTool extracts metadata tags and their values, including the FileCreateDate field linked to macOS's MDItemFSCreationDate attribute. While the filename parameter receives proper escaping before being passed to the system() function, the date value extracted from file metadata does not. This oversight allows attackers to inject single quotes and break the command structure, enabling arbitrary code execution.

Exploitation requires specific conditions but remains practical for targeted attacks. An attacker must craft a malicious image with a poisoned DateTimeOriginal tag containing shell commands, then use ExifTool's -tagsFromFile feature to copy this value into FileCreateDate while invoking the -n flag. The -n flag bypasses ExifTool's PrintConvInv validation filter, which normally rejects malformed dates, allowing raw unsanitized values to reach the vulnerable system() call. When the metadata is copied, the injected commands execute with the privileges of the user running ExifTool, potentially leading to full system compromise.

The vulnerability poses significant risks to organizations that process untrusted images on macOS systems, including newsrooms, photo agencies, marketing departments, and any workflow involving bulk image processing. A weaponized image appears completely legitimate and could easily enter an organization through normal channels. Once processed, attackers could deploy trojans for data theft, install additional malware, or establish persistent access for lateral movement within corporate networks. The attack surface extends beyond standalone ExifTool installations to any application embedding the vulnerable library.

ExifTool version 13.50 addresses the vulnerability through architectural changes rather than additional input filtering. The patch replaces string concatenation with list-form system calls, passing arguments as separate array elements instead of a single concatenated string. This approach eliminates shell interpretation entirely, removing the need for manual escaping. Organizations should immediately upgrade to version 13.50 or later across all systems, including asset management platforms, photo organization applications, and automated processing scripts. Security teams should audit their software supply chain for embedded copies of older ExifTool versions and implement isolation measures for processing untrusted files, restricting such operations to dedicated machines or virtual environments with limited network access.

Source: https://securelist.com/exiftool-compromise-mac/119866/