Positive Technologies specialist Yegor Filatov discovered and helped fix a vulnerability in Tunnelblick (a graphical interface for OpenVPN). The issue allowed privilege escalation and data theft. Notably, it could be exploited even in cases of incomplete application removal.
The vulnerability has been assigned the identifiers CVE-2025-43711 and PT-2025-25226 (8.1 out of 10 on the CVSS 3.1 scale). It affected all versions of Tunnelblick from 3.5beta06 through 6.1beta2. Exploiting the bug allowed an attacker to escalate privileges on the victim’s computer.
“For a successful attack, the adversary would need a user account with the ability to change macOS settings. Since administrative rights are granted by default, virtually anyone could have become a victim. Another condition: exploitation would have been possible only if Tunnelblick had not been fully removed from the computer—for example, if it was simply moved to the Trash. In that case, a component running with elevated privileges would have remained on the device, and an attacker could have leveraged it,” says Yegor Filatov, a junior specialist on Positive Technologies’ mobile application security research team.
It is noted that if the application was not fully removed, an attacker could place malware on the victim’s device that leverages Tunnelblick’s privileged component. Upon the next system startup, the attacker’s privileges would be automatically escalated, giving them the ability to perform arbitrary operations.
After being notified of the bug, the developer has already released updates. Users are advised to update Tunnelblick to version 7.0, 7.1beta01, or later. If downloading the fix is not possible for any reason, experts recommend protecting yourself in one of two ways: do not delete Tunnelblick.app from the /Applications folder, or log in as a standard user (without administrator privileges).
For users who no longer need Tunnelblick, the project team recommends removing the application using the built-in uninstaller. To do this, open the “VPN Details” window and find the “Utilities” panel. If there is no “Uninstall” button there, you can use the separate Tunnelblick uninstaller or any other. Those who moved the application to the Trash are advised to delete the file located at /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist.
An alternative approach is to reinstall any version of Tunnelblick and then remove it completely according to the recommendations.
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →