Home / Threat Intelligence bulletins / System integrity bypass discovered in macOS devices

Target Industry 

Indiscriminate, opportunistic attacks. 


Microsoft researchers have recently discovered a vulnerability within macOS that can allow threat actors to bypass the security feature system integrity protection (SIP) that prevents certain files within the directory from being modified.  

The new vulnerability, which has been named ‘Migraine’, works by using the ‘systemmigrationd’ process as it is entitled to the permissions required to bypass SIP checks after an attacker has gained root access. Once SIP has been bypassed, malicious files can be injected that are made to be unmodifiable and thus cannot be removed by a scanner even if detected. 

Migraine’ was disclosed to Apple through Coordinated Vulnerability Disclosure (CVD) and has since been fixed by a security update and is now tracked. 


If successfully executed the vulnerability could be used to create persistent malicious files that cannot be removed or quarantined. The exploit could also be used to leverage further attacks from code executions or root kits. This level of exploitation could lead to long-term damage or loss of critical operational systems and the launching of large-scale attacks leveraging the access gained from the attack which could cause substantial financial costs and loss of employment. 

Vulnerability Detection 

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as Migraine. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage. 

Affected Products 


Containment, Mitigations & Remediations 

As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention of potential attacks from a wide range of threats in real time. 

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats. 

Indicators of Compromise 

No specific Indicators of Compromise (IoCs) are available currently. 

Threat Landscape 

Although it has been believed for a long time that the macOS system was safe because it was targeted by less sophisticated attacks, this has been proved wrong with emerging threats in the past few years. A rise of powerful attacks, specifically targeting macOS devices, have been on the rise due to the increase of users on macOS and these users not implanting cyber security best practices cyber security considerations, despite Apple devices being less susceptible.  

Threat Group 

No attribution to specific threat actors or groups has been identified at the time of writing.  

Mitre Methodologies 

Privilege escalation 

T1548 – Abuse Elevation Control Mechanism 

Defence evasion 

T1055 – Process Injection 

Further Information  

New macOS vulnerability, Migraine, could bypass System Integrity Protection

2023 macOS Malware Round-Up