Identifier of the vulnerability: None

Affected software:

• Linux: Cron daemons (cronie, dcron, fcron)
• Windows: Task Scheduler (C:\Windows\System32\Tasks\)
• macOS: launchd (LaunchDaemons/LaunchAgents), legacy cron

Type of vulnerability: Privilege Escalation / Configuration Security

Implementation approach:

• Linux: Parse /etc/crontab, /etc/cron.d/*, /etc/cron.*/*, /var/spool/cron/* for jobs running as root that reference scripts with overly permissive permissions or world-writable paths.
• Windows: Parse XML task definitions in C:\Windows\System32\Tasks\ and check <Command> targets. Flag tasks running as SYSTEM/Administrator that call binaries/scripts in writable directories.
• macOS: Parse plist files in /System/Library/LaunchDaemons/, /Library/LaunchDaemons/, /Library/LaunchAgents/, and ~/Library/LaunchAgents/. Flag daemons/agents running as root or privileged users with executables in insecure paths. Legacy cron tabs (/usr/lib/cron/tabs/*) can be scanned similarly to Linux.

Resources:

• https://linux.die.net/man/5/crontab
• https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page
• https://www.launchd.info/](https://www.launchd.info/)