CVE-2025-43711 is a high-severity vulnerability affecting the Tunnelblick VPN client, specifically versions prior to 7.0, including 3.5beta06. The vulnerability arises from incomplete cleanup during the uninstallation process of Tunnelblick. When the application is incompletely uninstalled, an attacker can exploit this state by placing a specially crafted Tunnelblick.app file into the /Applications directory. Upon the next system boot, this malicious application can execute arbitrary code with root privileges. The root-level code execution means the attacker gains full control over the affected system, compromising confidentiality, integrity, and availability. The vulnerability is classified under CWE-459 (Incomplete Cleanup), indicating that residual files or configurations left behind after uninstallation can be leveraged maliciously. The CVSS 3.1 base score of 8.1 reflects the high impact and complexity of this vulnerability, with an attack vector requiring local access (AV:L), high attack complexity (AC:H), no privileges required (PR:N), and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The vulnerability has not yet been observed exploited in the wild, and no patches have been linked at the time of publication. Tunnelblick is a popular open-source VPN client for macOS, widely used to manage OpenVPN connections. The vulnerability specifically targets macOS environments where Tunnelblick is installed and incompletely uninstalled, leaving the system vulnerable to local privilege escalation attacks.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Tunnelblick for secure VPN connectivity. The ability for an attacker to execute arbitrary code as root can lead to full system compromise, data breaches, and disruption of critical services. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often use VPNs to secure remote access, are particularly at risk. The local attack vector implies that an attacker must have some level of access to the affected machine, which could be achieved through physical access or via other compromised user accounts. Once exploited, the attacker can bypass security controls, install persistent malware, exfiltrate sensitive data, or disrupt operations. Given the high privileges gained, the impact on confidentiality, integrity, and availability is severe. Additionally, the incomplete uninstallation scenario may be common in environments where software lifecycle management is inconsistent, increasing the risk of exposure. The lack of a patch at the time of disclosure necessitates immediate mitigation to prevent exploitation.

European organizations should take several specific steps to mitigate this vulnerability: 1) Conduct an inventory of all macOS systems to identify installations of Tunnelblick, particularly versions before 7.0. 2) Avoid incomplete uninstallation by following official uninstallation procedures carefully; ensure that all Tunnelblick files and configurations are fully removed. 3) Restrict local access to macOS systems, enforcing strict physical security and limiting user privileges to reduce the risk of local exploitation. 4) Monitor the /Applications directory for unauthorized or suspicious Tunnelblick.app files or other unexpected applications, using file integrity monitoring tools. 5) Implement endpoint detection and response (EDR) solutions capable of detecting unusual process executions or privilege escalations on macOS. 6) Educate IT staff and users about the risks of incomplete uninstallation and the importance of applying updates once patches become available. 7) Regularly check for updates from the Tunnelblick project and apply patches promptly when released. 8) As a temporary measure, consider disabling or uninstalling Tunnelblick on systems where it is not essential, or replacing it with alternative VPN clients with a better security posture. These targeted actions go beyond generic advice by focusing on the specific conditions that enable exploitation and the operational context of Tunnelblick in macOS environments.