CVE-2025-65841 identifies a security vulnerability in Aquarius Desktop version 3.0.069 for macOS, where user authentication credentials are stored insecurely in the local file system at ~/Library/Application Support/Aquarius/aquarius.settings. Instead of using strong cryptographic methods, the application employs a weak obfuscation technique based on predictable byte-substitution to 'encrypt' the password. This method is trivial to reverse, allowing any attacker with read access to this file to recover the plaintext password immediately. Once the attacker obtains the password, they can import the stolen configuration into their own Aquarius client or log in via the vendor’s website, resulting in complete account takeover. This compromise extends to unauthorized access to cloud-synchronized data and the ability to perform any authenticated actions as the victim user. The vulnerability does not require user interaction beyond file access, and no authentication barriers prevent reading the settings file if local access is gained. Although no known exploits are currently reported in the wild, the flaw represents a significant risk due to the ease of exploitation and the critical nature of the compromised credentials. No patches or mitigations have been officially released by the vendor as of the publication date. The vulnerability was reserved on 2025-11-18 and published on 2025-12-03, with no CVSS score assigned yet.

For European organizations, this vulnerability could lead to severe consequences including unauthorized access to sensitive corporate data synchronized via Aquarius cloud services, potential data leakage, and disruption of business processes relying on the application. Account takeover could allow attackers to manipulate or exfiltrate data, impersonate users, and perform malicious actions under legitimate credentials, undermining trust and compliance with data protection regulations such as GDPR. The risk is heightened in environments where macOS is prevalent and Aquarius Desktop is used for critical workflows or data synchronization. Additionally, organizations with lax endpoint security controls that allow unauthorized local file access are particularly vulnerable. The absence of a patch increases exposure time, and the trivial nature of the exploit means even low-skilled attackers could leverage this vulnerability if they gain local access. This could also facilitate lateral movement within networks if attackers escalate privileges after initial compromise.

1. Immediately restrict file system permissions on the ~/Library/Application Support/Aquarius/aquarius.settings file to the minimum necessary, ensuring only the authenticated user and system processes can read it. 2. Implement endpoint monitoring to detect unauthorized access or copying of this settings file, including file integrity monitoring and alerting on suspicious activity. 3. Encourage users to avoid storing sensitive credentials on shared or multi-user systems without proper access controls. 4. Use full disk encryption and strong endpoint security solutions to reduce the risk of local file access by unauthorized parties. 5. Engage with the vendor to demand a security patch that replaces the weak obfuscation with strong cryptographic encryption for stored credentials and to provide guidance on secure credential storage. 6. Until a patch is available, consider disabling cloud synchronization features or limiting use of Aquarius Desktop on macOS in sensitive environments. 7. Educate users about the risks of local file exposure and enforce strict endpoint security policies. 8. Regularly audit macOS endpoints for unauthorized file access and suspicious activity related to Aquarius Desktop files.