CVE-2025-34089 is a critical unauthenticated remote code execution vulnerability affecting Remote for Mac, a macOS remote control utility developed by Aexol Studio. The vulnerability exists in all versions up to and including 2025.7 when the application is configured with authentication disabled via the "Allow unknown devices" option. Under this configuration, the /api/executeScript endpoint is exposed without any access control, allowing unauthenticated remote attackers to send arbitrary AppleScript payloads through the X-Script HTTP header. These payloads are executed using the macOS 'do shell script' command, enabling attackers to run arbitrary commands on the host system with the privileges of the Remote for Mac background process. This vulnerability combines CWE-306 (Missing Authentication for Critical Function) and CWE-94 (Improper Control of Generation of Code), resulting in a highly critical security flaw. The CVSS 4.0 base score is 9.3, reflecting the ease of exploitation (no authentication or user interaction required), the network attack vector, and the high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability’s nature and severity make it a prime target for attackers once disclosed. The lack of authentication on a critical function exposes macOS systems running this software to remote takeover, potentially leading to full system compromise, data theft, lateral movement, or deployment of malware.

For European organizations, this vulnerability poses a significant risk, especially those relying on Remote for Mac for remote management or support of macOS endpoints. Exploitation could lead to unauthorized access to sensitive corporate data, disruption of business operations, and compromise of endpoint integrity. Given the high privileges of the exploited process, attackers could install persistent backdoors, exfiltrate confidential information, or pivot to other internal systems. This risk is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government agencies within Europe. Additionally, organizations with remote or hybrid workforces using macOS devices are particularly vulnerable if the vulnerable configuration is enabled. The potential for widespread impact is notable due to the ease of exploitation and the common use of remote control utilities in IT support and administration.

Organizations should immediately audit their Remote for Mac configurations to ensure that authentication is enabled and the "Allow unknown devices" option is disabled. If disabling this option is not feasible, network-level controls such as firewall rules should restrict access to the /api/executeScript endpoint to trusted IP addresses only. Monitoring network traffic for unusual requests to this endpoint can help detect attempted exploitation. Applying any available patches or updates from Aexol Studio as soon as they are released is critical. In the absence of patches, consider temporarily disabling or uninstalling Remote for Mac on critical systems. Employing endpoint detection and response (EDR) solutions to monitor for suspicious AppleScript execution or shell commands initiated by Remote for Mac processes can provide additional detection capabilities. Finally, educating IT staff about the risks of disabling authentication on remote management tools will help prevent insecure configurations.