Critical Command Injection Vulnerability in Speedify VPN Could Give Full Control Over Unpatched macOS Systems

• A critical command injection vulnerability was found in Speedify VPN’s privileged helper tool
• Exploitation of the flaw CVE-2025-25364 could give root privileges to threat actors 
• To prevent adversaries from gaining full control over the macOS systems, users must install updates

A vulnerability in Speedify VPN that could allow threat actors to escalate privileges and gain full control over the system has been found. Tracked as CVE-2025-25364 in Speedify’s privileged helper tool, it is a critical command injection vulnerability.

Version 15.0.0 of macOS is impacted by this Speedify VPN flaw that could potentially expose millions of the VPN users to hackers. It was discovered by SecureLayer7 and has been addressed by the service provider through the version 15.4.1.

The helper tool with elevated privileges performs system-level network operations within which the flaw was found in me.connectify.SMJobBlessHelper XPC service.

The helper tool has had a complete rewrite with the update addressing the vulnerability. The new version implements the required input validation and addresses the command injection vector to prevent vulnerability exploitation.

The improper input validation of the user-controlled fields of cmdPath and cmdBin within XPC messages could be exploited to inject arbitrary commands to be executed with root privileges giving them full control over unpatched macOS systems.

A report by Cyber Security News stated that attackers can construct and execute command string using asprintf, embedding the user-supplied cmdPath and cmdBin as:

• rax = asprintf(&var_38, “codesign -v -R=\”certificate leaf[subject.CN] = \”%s\” and anchor apple generic\” \”%s\””, “Developer ID Application: Connectify, Inc. (42L9495X72)”, rcx);

If updates are not installed, it could allow attackers to read, and modify system data. They can also install malware and create backdoors for further exchange of data between servers and to evade detection.  

Addressing the flaw, SecureLayer7 stated, “This flaw high­lights the im­por­tance of rig­or­ous in­put val­i­da­tion and se­cure cod­ing prac­tices, es­pe­cial­ly in priv­i­leged com­po­nents.”