A serious macOS flaw known as “Sploitlight” was discovered by Microsoft’s Threat Intelligence team. It took use of Apple’s Spotlight search function to get around privacy safeguards and obtain private user information. The vulnerability, identified as CVE-2025-31199, mostly affected Apple Intelligence cached data, potentially revealing everything without user authorization, including face recognition metadata and exact location data. With macOS Sequoia 15.4, Apple fixed the vulnerability in March 2025, but users of earlier versions are still at risk.

Taking Advantage Of The Plugin Architecture Of Spotlight

The way Spotlight handles plugin data for indexing and search functionality was the main source of the vulnerability. Researchers found that Spotlight importers, which are specialized plugins that assist in indexing content from different programs, could be manipulated by attackers to get beyond Apple’s Transparency, Consent, and Control (TCC) framework, according to Microsoft’s security blog. In contrast to earlier TCC bypasses that Microsoft had discovered, such as “powerdir” and “HM-Surf,” Sploitlight presented more serious threats because it could harvest metadata from Apple intel.

By altering plugin configuration files and putting them in user-writable directories, attackers may leverage the exploit to make Spotlight index and run the malicious code without causing security alerts. The vulnerability method allowed hackers to stealthily retrieve private data from protected directories such as Downloads and Pictures by using the system log to record the contents of files in chunks. Interestingly, code signing was not necessary for the malicious plugins, which made the attack vector more open to hackers.

Apple Intelligence Information At Danger

The ramifications of the vulnerability go beyond ordinary file access breaches. Highly sensitive information that was made available by the vulnerability is stored in cached data by Apple Intelligence, which is installed by default on ARM-based devices. Microsoft’s research revealed that attackers could retrieve user preferences, search history, face and person recognition information, exact GPS positions, and even deleted images and videos.

Because to iCloud’s synchronization features, the danger increased throughout Apple’s ecosystem. Researchers at Microsoft pointed out that by taking advantage of one macOS computer, an attacker would be able to learn more about other devices connected to the same iCloud account, increasing their exposure throughout a user’s digital footprint.

Quick Reaction And Persistent Issues

Apple and Microsoft worked together to disclose the issue, and on March 31, 2025, updates for macOS Sequoia 15.4 were released. “Improved data redaction” was the solution to stop unwanted access to private data. Microsoft encouraged customers to install security upgrades right away and appreciated Apple’s security team for their cooperation.

In addition to the “Shrootless” and “Migraine” macOS vulnerabilities that circumvented Apple’s System Integrity Protection, this revelation represents a new phase in Microsoft’s continuing security research across platforms. As tech companies balance innovation with strong privacy protections by incorporating artificial intelligence technologies into their operating systems, the disclosure highlights the changing security issues.