There are actually three CVE advisories that were analyzed. Here are the other two:
GitHub - graypixel2121/CVE-2025-57489
The SDAgent component of the SuperDuper! application is a setuid binary. Due to poor design/implementation, the SDAgent exists only to perform shell commands requested by another application, and the SDAgent doesn’t appear to perform any verification of the requesting application, nor implement any guardrails on what sorts of shell commands can be requested. As a result, attackers can get affected versions of the SDAgent tool to run any shell command with root privileges. The fix from the developer addresses only the SDAgent’s failure to verify the requester, it doesn’t address the “puppet” helper tool design, leaving the agent potentially vulnerable to future attacks.
GitHub - graypixel2121/CVE-2025-61229
Root privileges and Full Disk Access are the highest privileges that software can attain on macOS. Any developer that asks for those privileges should be writing software that adheres to modern security design principles and best practices. This vulnerability, as well as those exposed in CVE-2025-57489 and CVE-2025-61228, and even the developer’s own admission that these problems have persisted for 22 years, demonstrate that SuperDuper was not designed to be a secure product, and has not seen regular design improvements over 22 years to adhere to modern security best practices.
SuperDuper task settings continue to be inherently insecure in the current (3.11) version of the product. I would advise anyone using this product to discontinue its use until the developer can provide a competent update that thoroughly resolves all of the aforementioned the security concerns.