CVE-2025-43711
BaseFortify
Publication date: 2025-07-05
Last updated on: 2025-07-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-459 | The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-43711 is a privilege escalation vulnerability in Tunnelblick versions before 7.0. If Tunnelblick is incompletely uninstalled (for example, by dragging the app to Trash instead of using the built-in uninstaller), an attacker with local or remote access to Finder can drag a specially crafted Tunnelblick.app file into the /Applications folder. Upon the next system reboot, macOS executes a program inside this malicious app with root privileges before any user logs in, allowing the attacker to gain root access without authentication. The vulnerability requires that an administrator is logged in and the computer is unlocked, and it cannot be exploited if Tunnelblick is still installed or completely uninstalled using the proper uninstaller. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain root (highest) privileges on your macOS system without authentication if the conditions are met. This means the attacker can execute arbitrary code as root, potentially taking full control of your system, accessing or modifying any data, installing malware, or disrupting system operations. The attack requires local or remote access to Finder while an administrator is logged in and the system is unlocked, and the vulnerability arises only if Tunnelblick was incompletely uninstalled. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the file /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist exists on your macOS system, which indicates an incompletely uninstalled vulnerable Tunnelblick version. Also, verify if a crafted Tunnelblick.app file is present in the /Applications folder. There are no specific commands provided, but you can use standard macOS Terminal commands such as `ls /Applications | grep Tunnelblick.app` to check for the app and `ls /Library/LaunchDaemons/ | grep tunnelblick` to check for the plist file. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating Tunnelblick to version 7.0 or later (or 7.1beta01 or later) which fixes the vulnerability. 2) If updating is not possible, avoid removing Tunnelblick.app by dragging it to Trash; instead, use Tunnelblick's built-in or standalone uninstaller for complete removal. 3) If Tunnelblick was incompletely uninstalled, delete the file /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist to prevent exploitation, though this may leave residual components. 4) Avoid running the system with an administrator logged in and unlocked. 5) Alternatively, reinstall Tunnelblick and then perform a complete uninstall using the proper uninstaller. [1]