CVE-2025-5687
BaseFortify
Publication date: 2025-06-11
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | vpn | to 2.28.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a local privilege escalation flaw in Mozilla VPN on macOS that allows a normal user to gain root (administrator) privileges on the affected system. It specifically affects Mozilla VPN versions earlier than 2.28.0 on macOS and does not impact other operating systems. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with normal user access to escalate their privileges to root, potentially giving them full control over the system, which can lead to unauthorized access, modification, or deletion of data and system settings. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of Mozilla VPN installed on macOS systems. Systems running Mozilla VPN version 2.27.0 or earlier are vulnerable. You can check the installed version by running the command: `open /Applications/Mozilla\ VPN.app/Contents/Info.plist` or by checking the application version in the VPN client. There are no specific network detection commands provided. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Mozilla VPN on macOS to version 2.28.0 or later, where the privilege escalation flaw has been fixed. Avoid using vulnerable versions (2.27.0 and earlier) until the update is applied. [1]