ExifTool is a ubiquitous open-source solution for reading, writing, and editing image metadata. It’s the go-to tool for photographers and digital archivists, and is widely used in data analytics, digital forensics, and investigative journalism.
Can a computer really get infected just by processing an image even on macOS, often (incorrectly) thought to be immune to such attacks? The answer, unfortunately, is yes.
The vulnerability, tracked as CVE-2026-3102, affects ExifTool a popular open-source utility for reading and editing image metadata. It’s widely integrated into applications for photography, digital archiving, data analytics, and even investigative journalism.
Security researchers from Kaspersky’s Global Research and Analysis Team (GReAT) have revealed a critical vulnerability in ExifTool that allows malicious image files to execute code on macOS systems.
Because so many image-handling tools depend on ExifTool’s library, the vulnerability potentially impacts thousands of macOS systems.
What Is ExifTool?
ExifTool is a free and open-source utility that extracts, edits, and processes metadata the hidden information inside files describing attributes such as date, time, camera model, GPS coordinates, or author name.
Professionals use ExifTool for managing digital assets, correcting timestamps, extracting data from specialized file types like RAW or DICOM, and embedding GPS or descriptive tags.
It is valued for supporting hundreds of file formats and being extremely flexible. ExifTool can be used as a command-line tool or integrated into other software via its open-source code, meaning it’s often built directly into digital asset management platforms, image editors, and automated processing scripts.
Researchers discovered that ExifTool versions 13.49 and earlier can execute malicious code when processing an image containing crafted metadata.
Specifically, the attack exploits how ExifTool reads the DateTimeOriginal metadata field which typically stores the time a photo was taken.
If this field includes shell commands disguised as malformed date values, macOS systems running vulnerable ExifTool versions can execute those commands.
However, two specific conditions must be met for the exploit to trigger:
- The system must be running macOS.
- ExifTool must be executed with the -n (or –printConv) flag, which outputs raw numerical data without text conversion.
When these criteria are met, the embedded commands run in the system shell, allowing attackers to download and execute payloads such as Trojans, infostealers, or backdoors.
A likely attack scenario might involve a journalist or law firm receiving an image for analysis. Their system automatically processes the file via ExifTool, unknowingly triggering code execution and compromising their macOS workstation.
Mitigations
The vulnerability was responsibly reported to ExifTool’s developer, who quickly released version 13.50 to resolve the issue. Users of earlier builds are strongly advised to upgrade immediately.
To verify protection:
- Check that macOS systems are using ExifTool version 13.50 or newer.
- Confirm that third-party software (such as image organizers, photo editors, or DAM systems) isn’t embedding an outdated ExifTool library.
- Conduct a review of any automated image-processing scripts to ensure they reference the patched version.
While updating ExifTool is essential, organizations should also isolate workflows involving untrusted images. Security teams can minimize risk by:
- Processing suspicious files within virtual environments or sandboxed systems.
- Restricting the infected machine’s network and storage access.
- Using endpoint protection tools capable of detecting and blocking abnormal script execution on macOS.
As this case demonstrates, even something as seemingly harmless as a photograph can become an attack vector. Vigilance, patch discipline, and secure processing practices remain critical in defending against evolving software supply chain threats.
