Skip to main content

CVE-2025-4412: CWE-276 Incorrect Default Permissions in SparkLabs Viscosity

Medium
VulnerabilityCVE-2025-4412cvecve-2025-4412cwe-276
Published: Tue May 27 2025 (05/27/2025, 10:09:14 UTC)
Source: CVE Database V5
Vendor/Project: SparkLabs
Product: Viscosity

Description

On macOS systems, by utilizing a Launch Agent and loading the viscosity_openvpn process from the application bundle, it is possible to load a dynamic library with Viscosity's TCC (Transparency, Consent, and Control) identity. The acquired resource access is limited without entitlements such as access to the camera or microphone. Only user-granted permissions for file resources apply. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 1.11.5 of Viscosity.

AI-Powered Analysis

AILast updated: 07/11/2025, 02:49:37 UTC

Technical Analysis

CVE-2025-4412 is a medium-severity vulnerability affecting the macOS version of SparkLabs' Viscosity VPN client. The issue stems from incorrect default permissions (CWE-276) related to the use of Launch Agents to load the viscosity_openvpn process from the application bundle. Specifically, an attacker with local user-level privileges can exploit this by loading a dynamic library under Viscosity's TCC (Transparency, Consent, and Control) identity. This TCC identity governs access to protected system resources on macOS. However, the vulnerability does not grant elevated entitlements such as camera or microphone access, which remain protected by system prompts and user consent. The attacker can only leverage permissions already granted by the user for file resources, potentially allowing unauthorized file access or manipulation within those boundaries. No user interaction or authentication is required to exploit this vulnerability, but the attack vector is limited to local access (AV:L). The flaw was addressed in Viscosity version 1.11.5, indicating that earlier versions are vulnerable. The CVSS 4.0 base score is 4.8, reflecting a medium impact primarily due to limited scope and privileges required. There are no known exploits in the wild at this time. The vulnerability highlights the risk of improper permission configurations in macOS applications that integrate with system security frameworks like TCC, which can lead to privilege escalation or unauthorized resource access within the constraints of user-granted permissions.

Potential Impact

For European organizations, the impact of CVE-2025-4412 is moderate but should not be overlooked. Organizations using Viscosity VPN on macOS devices may face risks of unauthorized file access by local attackers or malicious insiders who can exploit the incorrect default permissions to load malicious dynamic libraries under the application's TCC identity. While the vulnerability does not allow bypassing critical system protections such as camera or microphone access without user consent, it can still lead to confidentiality breaches of sensitive files accessible by the user context. This could be particularly concerning for organizations handling sensitive data or operating in regulated sectors such as finance, healthcare, or government. The vulnerability requires local access, so remote exploitation is not feasible, limiting the attack surface. However, in environments where macOS endpoints are shared or where endpoint security is lax, the risk increases. Additionally, the use of Viscosity as a VPN client means that compromised endpoints could undermine secure communications or data integrity. The absence of known exploits reduces immediate risk but does not preclude future exploitation attempts. Overall, the vulnerability could facilitate lateral movement or data exfiltration within compromised networks if not mitigated.

Mitigation Recommendations

European organizations should take the following specific actions to mitigate CVE-2025-4412: 1) Immediately upgrade all macOS installations of Viscosity to version 1.11.5 or later, where the vulnerability is fixed. 2) Implement strict endpoint security controls to prevent unauthorized local access, including enforcing strong user authentication, limiting administrative privileges, and using endpoint detection and response (EDR) tools to monitor for suspicious dynamic library loading or process injection activities. 3) Audit and restrict the use of Launch Agents and other mechanisms that can load processes or libraries with elevated TCC identities. 4) Educate users about the risks of granting file permissions and monitor file access logs for anomalies. 5) Employ application whitelisting to prevent unauthorized dynamic libraries from loading within Viscosity or other critical applications. 6) Regularly review and update macOS privacy and security settings to ensure that only necessary permissions are granted to applications. 7) Maintain an inventory of macOS endpoints running Viscosity to ensure timely patching and compliance. These measures go beyond generic advice by focusing on controlling local access vectors, monitoring dynamic library usage, and enforcing strict permission management aligned with the vulnerability's technical specifics.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
CERT-PL
Date Reserved
2025-05-07T10:11:05.905Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6835ae13182aa0cae20f9cc7

Added to database: 5/27/2025, 12:20:35 PM

Last enriched: 7/11/2025, 2:49:37 AM

Last updated: 8/11/2025, 3:08:30 AM

Views: 18

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats