Apple’s macOS Spotlight search tool has been uncovered by Microsoft’s Threat Intelligence team, potentially exposing users’ most sensitive data to attackers until it was patched earlier this year. The vulnerability, officially tracked as CVE-2025-31199 and known as “Sploitlight,” highlights the evolving risks to user privacy in the age of AI-driven device features and cloud sync.
Microsoft researchers identified that custom Spotlight plugins could be crafted and placed in user-writable directories. Upon indexing, Spotlight would execute these plugins, unintentionally granting them access to protected locations including files in the Downloads folder, Safari data, and critically, caches generated by Apple Intelligence (AI-powered features across Apple devices)
Transparency, Consent, and Control (TCC) is a macOS security framework that ensures applications require user permission before accessing sensitive data such as location, photos, and microphone. However, “Sploitlight” exploited Spotlight plugins’ privileged access, effectively bypassing TCC and allowing unauthorized reads of information that should have remained secure.
This breadth of access represents one of the more severe cross-device risks macOS users have faced, raising concerns about potential privacy breaches, stalking, and misuse of AI-enhanced device intelligence.
Once alerted by Microsoft, Apple investigated and addressed the issue with a fix deployed in the macOS Sequoia 15.4 update at the end of March 2025. The update applied improved data redaction and strengthened how Spotlight handles and executes plugins, ensuring private directories and caches are no longer vulnerable to this method of attack.
There is currently no evidence that this vulnerability was exploited in the wild before Apple released the fix, as public disclosure only occurred after the patch became available. Both Apple and Microsoft have emphasized the importance of keeping macOS updated to the most recent version, especially for users with Apple Intelligence features or multiple Apple devices synced via iCloud.