Critical ExifTool flaw allows malicious images to execute code on macOS

A critical vulnerability in ExifTool, a widely used open-source metadata utility, could allow attackers to execute malicious commands on macOS systems using specially crafted image files. The flaw, tracked as CVE-2026-3102, enables attackers to embed shell commands in image metadata that execute when the file is processed by vulnerable versions of ExifTool.

Security researchers warn that the vulnerability could affect organizations that rely heavily on automated image processing pipelines, including media companies, forensic laboratories, and digital asset management platforms. Because ExifTool is frequently embedded in third-party applications and automated workflows, many systems may unknowingly run vulnerable versions.

The vulnerability was discovered by Kaspersky’s Global Research and Analysis Team (GReAT) and reported to ExifTool developer Phil Harvey, who released a fix in ExifTool version 13.50 shortly after disclosure.

Why ExifTool is widely used

ExifTool has become one of the most widely adopted tools for extracting and modifying metadata from images, videos, and documents. It supports hundreds of file formats and is used across industries for tasks such as analyzing GPS data, camera settings, timestamps, and other metadata embedded in digital files.

The tool is not only used directly by photographers and archivists but is also integrated into many automation systems. Examples include digital asset management platforms, forensic analysis tools, and media ingestion pipelines. In large organizations, ExifTool often runs automatically in the background as part of file processing workflows.

This widespread integration means a vulnerability in ExifTool can affect multiple systems simultaneously, especially when embedded libraries remain outdated.

How the attack works

The exploit relies on manipulating the DateTimeOriginal metadata field in an image file. This field normally stores the timestamp of when a photograph was taken.

Attackers insert malicious shell commands into the field using an intentionally malformed metadata format. When the file is processed by a vulnerable version of ExifTool, the hidden commands may execute on the system.

The attack becomes possible under a specific processing condition. The vulnerability triggers when ExifTool runs with the -n flag (also known as --printConv), which instructs the tool to output metadata values in raw machine-readable form rather than converting them into human-readable formats.

This output mode is commonly used in automation pipelines because it simplifies parsing and integration with scripts or other software.

When these conditions are met, the malicious metadata may be interpreted as executable commands.

Vulnerability details

Field	Details
CVE ID	CVE-2026-3102
Vulnerability type	OS command injection
CWE classification	CWE-78
Affected software	ExifTool versions 13.49 and earlier
Affected platform	macOS
Exploit method	Malicious commands embedded in DateTimeOriginal metadata
Trigger condition	Processing image with -n / --printConv flag
Impact	Remote code execution, malware deployment, data theft
Patch version	ExifTool 13.50
Discovery	Kaspersky GReAT

Security researchers say the vulnerability may be difficult for traditional security tools to detect because the malicious payload is stored in metadata fields rather than visible file content.

This makes it possible for a malicious image to appear completely normal while still carrying hidden commands.

Potential impact

If exploited successfully, the vulnerability can allow attackers to run arbitrary commands on the affected macOS system.

Possible outcomes include:

• Downloading and executing additional malware
• Installing Trojans or backdoors
• Deploying information-stealing malware
• Accessing sensitive files stored on the system
• Pivoting to other systems within a network

The risk increases in environments where files from external sources are processed automatically without manual inspection.

Examples of high-risk environments include:

• Media and newsroom image pipelines
• Digital forensics laboratories
• Legal document processing systems
• Medical imaging workflows
• Content ingestion platforms

In these environments, a single malicious image submitted through a normal workflow could trigger the exploit.

Mitigation and protection steps

Organizations and individual users should update their ExifTool installations immediately.

Recommended actions include:

• Upgrade to ExifTool version 13.50 or later
• Audit automation pipelines that process image metadata
• Verify that third-party tools are not using embedded vulnerable versions
• Process untrusted images in isolated environments
• Monitor systems for unusual command execution events

Security teams should also review supply chain dependencies to ensure outdated open-source components are not being used within internal tools.

Additional defensive practices

To further reduce risk, organizations can implement several security measures.

• Run image processing workflows in sandboxed environments
• Limit network access for automated processing systems
• Monitor system logs for unusual shell execution patterns
• Apply endpoint detection and response monitoring on macOS hosts

These practices help detect suspicious behavior even if malicious files bypass traditional scanning.

FAQ