CVE-2025-43711 is a high-severity vulnerability affecting the Tunnelblick VPN client, specifically versions prior to 7.0, including 3.5beta06. The vulnerability arises from incomplete cleanup during the uninstallation process of Tunnelblick. When the software is incompletely uninstalled, an attacker can exploit this state by placing a specially crafted Tunnelblick.app file into the /Applications directory. Upon the next system boot, this malicious application can execute arbitrary code with root privileges, effectively allowing full system compromise. The root cause is classified under CWE-459 (Incomplete Cleanup), indicating that residual files or configurations remain after uninstall, which can be leveraged by attackers. The CVSS 3.1 score of 8.1 reflects a high impact on confidentiality, integrity, and availability, with a complex attack vector requiring local access (AV:L), high attack complexity (AC:H), no privileges required (PR:N), and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Although no known exploits are reported in the wild yet, the potential for severe damage is significant due to root-level code execution on reboot. This vulnerability is particularly relevant for macOS users running Tunnelblick versions before 7.0, especially those who have attempted to uninstall the software but left remnants behind. The threat exploits the trust macOS places in applications located in /Applications, combined with the elevated privileges granted during system startup.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Tunnelblick as their VPN client for secure remote access. Successful exploitation leads to full system compromise with root privileges, allowing attackers to access sensitive data, modify system configurations, install persistent malware, or disrupt operations. This can result in data breaches, loss of intellectual property, and operational downtime. The vulnerability's exploitation does not require user interaction or authentication, increasing the risk if an attacker gains local access or can trick users into placing malicious files. Organizations with remote or hybrid workforces using macOS devices are particularly at risk. Additionally, the persistence of the malicious code across reboots can facilitate long-term undetected presence within networks. Given the critical role VPNs play in securing communications, this vulnerability undermines the confidentiality and integrity of organizational data flows, potentially exposing European entities to espionage, ransomware, or sabotage campaigns.

To mitigate this vulnerability, European organizations should: 1) Immediately verify and ensure complete uninstallation of any Tunnelblick versions prior to 7.0, using official uninstall procedures and tools to remove all residual files and configurations. 2) Avoid placing any Tunnelblick.app files manually into the /Applications directory unless they are from trusted, verified sources. 3) Restrict local user permissions to prevent unauthorized file placement in /Applications, employing macOS security features such as System Integrity Protection (SIP) and mandatory access controls. 4) Monitor systems for unexpected Tunnelblick.app files or other suspicious applications in /Applications, especially after uninstall attempts. 5) Apply the latest Tunnelblick updates as soon as version 7.0 or later becomes available, which presumably address this vulnerability. 6) Implement endpoint detection and response (EDR) solutions capable of detecting anomalous file placements and code execution at boot time. 7) Educate users about the risks of incomplete uninstallation and the dangers of running untrusted applications. 8) For environments where Tunnelblick is critical, consider alternative VPN clients with verified security postures until patched versions are deployed.