CVE-2025-4412: CWE-276 Incorrect Default Permissions in SparkLabs Viscosity
On macOS systems, by utilizing a Launch Agent and loading the viscosity_openvpn process from the application bundle, it is possible to load a dynamic library with Viscosity's TCC (Transparency, Consent, and Control) identity. The acquired resource access is limited without entitlements such as access to the camera or microphone. Only user-granted permissions for file resources apply. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 1.11.5 of Viscosity.
AI Analysis
Technical Summary
CVE-2025-4412 is a medium-severity vulnerability affecting the macOS version of SparkLabs' Viscosity VPN client. The issue stems from incorrect default permissions (CWE-276) related to the use of Launch Agents to load the viscosity_openvpn process from the application bundle. Specifically, an attacker with local user-level privileges can exploit this by loading a dynamic library under Viscosity's TCC (Transparency, Consent, and Control) identity. This TCC identity governs access to protected system resources on macOS. However, the vulnerability does not grant elevated entitlements such as camera or microphone access, which remain protected by system prompts and user consent. The attacker can only leverage permissions already granted by the user for file resources, potentially allowing unauthorized file access or manipulation within those boundaries. No user interaction or authentication is required to exploit this vulnerability, but the attack vector is limited to local access (AV:L). The flaw was addressed in Viscosity version 1.11.5, indicating that earlier versions are vulnerable. The CVSS 4.0 base score is 4.8, reflecting a medium impact primarily due to limited scope and privileges required. There are no known exploits in the wild at this time. The vulnerability highlights the risk of improper permission configurations in macOS applications that integrate with system security frameworks like TCC, which can lead to privilege escalation or unauthorized resource access within the constraints of user-granted permissions.
Potential Impact
For European organizations, the impact of CVE-2025-4412 is moderate but should not be overlooked. Organizations using Viscosity VPN on macOS devices may face risks of unauthorized file access by local attackers or malicious insiders who can exploit the incorrect default permissions to load malicious dynamic libraries under the application's TCC identity. While the vulnerability does not allow bypassing critical system protections such as camera or microphone access without user consent, it can still lead to confidentiality breaches of sensitive files accessible by the user context. This could be particularly concerning for organizations handling sensitive data or operating in regulated sectors such as finance, healthcare, or government. The vulnerability requires local access, so remote exploitation is not feasible, limiting the attack surface. However, in environments where macOS endpoints are shared or where endpoint security is lax, the risk increases. Additionally, the use of Viscosity as a VPN client means that compromised endpoints could undermine secure communications or data integrity. The absence of known exploits reduces immediate risk but does not preclude future exploitation attempts. Overall, the vulnerability could facilitate lateral movement or data exfiltration within compromised networks if not mitigated.
Mitigation Recommendations
European organizations should take the following specific actions to mitigate CVE-2025-4412: 1) Immediately upgrade all macOS installations of Viscosity to version 1.11.5 or later, where the vulnerability is fixed. 2) Implement strict endpoint security controls to prevent unauthorized local access, including enforcing strong user authentication, limiting administrative privileges, and using endpoint detection and response (EDR) tools to monitor for suspicious dynamic library loading or process injection activities. 3) Audit and restrict the use of Launch Agents and other mechanisms that can load processes or libraries with elevated TCC identities. 4) Educate users about the risks of granting file permissions and monitor file access logs for anomalies. 5) Employ application whitelisting to prevent unauthorized dynamic libraries from loading within Viscosity or other critical applications. 6) Regularly review and update macOS privacy and security settings to ensure that only necessary permissions are granted to applications. 7) Maintain an inventory of macOS endpoints running Viscosity to ensure timely patching and compliance. These measures go beyond generic advice by focusing on controlling local access vectors, monitoring dynamic library usage, and enforcing strict permission management aligned with the vulnerability's technical specifics.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Switzerland, Belgium
CVE-2025-4412: CWE-276 Incorrect Default Permissions in SparkLabs Viscosity
Description
On macOS systems, by utilizing a Launch Agent and loading the viscosity_openvpn process from the application bundle, it is possible to load a dynamic library with Viscosity's TCC (Transparency, Consent, and Control) identity. The acquired resource access is limited without entitlements such as access to the camera or microphone. Only user-granted permissions for file resources apply. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 1.11.5 of Viscosity.
AI-Powered Analysis
Technical Analysis
CVE-2025-4412 is a medium-severity vulnerability affecting the macOS version of SparkLabs' Viscosity VPN client. The issue stems from incorrect default permissions (CWE-276) related to the use of Launch Agents to load the viscosity_openvpn process from the application bundle. Specifically, an attacker with local user-level privileges can exploit this by loading a dynamic library under Viscosity's TCC (Transparency, Consent, and Control) identity. This TCC identity governs access to protected system resources on macOS. However, the vulnerability does not grant elevated entitlements such as camera or microphone access, which remain protected by system prompts and user consent. The attacker can only leverage permissions already granted by the user for file resources, potentially allowing unauthorized file access or manipulation within those boundaries. No user interaction or authentication is required to exploit this vulnerability, but the attack vector is limited to local access (AV:L). The flaw was addressed in Viscosity version 1.11.5, indicating that earlier versions are vulnerable. The CVSS 4.0 base score is 4.8, reflecting a medium impact primarily due to limited scope and privileges required. There are no known exploits in the wild at this time. The vulnerability highlights the risk of improper permission configurations in macOS applications that integrate with system security frameworks like TCC, which can lead to privilege escalation or unauthorized resource access within the constraints of user-granted permissions.
Potential Impact
For European organizations, the impact of CVE-2025-4412 is moderate but should not be overlooked. Organizations using Viscosity VPN on macOS devices may face risks of unauthorized file access by local attackers or malicious insiders who can exploit the incorrect default permissions to load malicious dynamic libraries under the application's TCC identity. While the vulnerability does not allow bypassing critical system protections such as camera or microphone access without user consent, it can still lead to confidentiality breaches of sensitive files accessible by the user context. This could be particularly concerning for organizations handling sensitive data or operating in regulated sectors such as finance, healthcare, or government. The vulnerability requires local access, so remote exploitation is not feasible, limiting the attack surface. However, in environments where macOS endpoints are shared or where endpoint security is lax, the risk increases. Additionally, the use of Viscosity as a VPN client means that compromised endpoints could undermine secure communications or data integrity. The absence of known exploits reduces immediate risk but does not preclude future exploitation attempts. Overall, the vulnerability could facilitate lateral movement or data exfiltration within compromised networks if not mitigated.
Mitigation Recommendations
European organizations should take the following specific actions to mitigate CVE-2025-4412: 1) Immediately upgrade all macOS installations of Viscosity to version 1.11.5 or later, where the vulnerability is fixed. 2) Implement strict endpoint security controls to prevent unauthorized local access, including enforcing strong user authentication, limiting administrative privileges, and using endpoint detection and response (EDR) tools to monitor for suspicious dynamic library loading or process injection activities. 3) Audit and restrict the use of Launch Agents and other mechanisms that can load processes or libraries with elevated TCC identities. 4) Educate users about the risks of granting file permissions and monitor file access logs for anomalies. 5) Employ application whitelisting to prevent unauthorized dynamic libraries from loading within Viscosity or other critical applications. 6) Regularly review and update macOS privacy and security settings to ensure that only necessary permissions are granted to applications. 7) Maintain an inventory of macOS endpoints running Viscosity to ensure timely patching and compliance. These measures go beyond generic advice by focusing on controlling local access vectors, monitoring dynamic library usage, and enforcing strict permission management aligned with the vulnerability's technical specifics.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2025-05-07T10:11:05.905Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6835ae13182aa0cae20f9cc7
Added to database: 5/27/2025, 12:20:35 PM
Last enriched: 7/11/2025, 2:49:37 AM
Last updated: 8/8/2025, 5:51:43 PM
Views: 17
Related Threats
CVE-2025-8826: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8825: OS Command Injection in Linksys RE6250
MediumCVE-2025-8824: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8823: OS Command Injection in Linksys RE6250
MediumCVE-2025-8822: Stack-based Buffer Overflow in Linksys RE6250
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.