CVE-2025-65843 identifies a security vulnerability in Aquarius Desktop version 3.0.069 running on macOS. The flaw resides in the application's support data archive generation feature, specifically in how it handles files within the ~/Library/Logs/Aquarius directory. The application uses a JUCE directory iterator configured to follow symbolic links (symlinks) when recursively enumerating log files. This behavior causes the application to treat symlink targets as regular files without validating whether the files are actual logs or symlinked elsewhere on the filesystem. Consequently, a local attacker with write access to the log directory can plant symlinks pointing to arbitrary filesystem locations. When the support ZIP archive is generated, the application reads and includes the contents of these arbitrary files, leading to unauthorized disclosure of sensitive data or modification of files if the archive is extracted or processed further. Furthermore, when this vulnerability is chained with a related privilege escalation issue in the HelperTool component, which can elevate privileges to root, the attacker could gain access to root-owned files, significantly increasing the impact. The vulnerability requires local access and the ability to write to the log directory, limiting remote exploitation. No CVSS score has been assigned yet, and no known exploits are currently in the wild. The vulnerability highlights insecure file handling and insufficient validation of symlinks in application logging and support data collection mechanisms, a common source of local privilege escalation and data leakage vulnerabilities on Unix-like systems.

For European organizations, this vulnerability poses a risk primarily to confidentiality and integrity of local files on macOS systems running Aquarius Desktop. Sensitive files could be disclosed if symlinks point to confidential data, or files could be modified if the archive extraction process is exploited. The impact escalates if combined with the HelperTool privilege escalation vulnerability, potentially allowing attackers to access or modify root-owned files, compromising system integrity and availability. Organizations in sectors with high data sensitivity, such as finance, healthcare, and government, are at greater risk due to the potential exposure of critical data. The requirement for local access limits the threat to insider attackers or those with compromised user accounts. However, the chaining possibility increases the severity, as attackers could gain elevated privileges and broader system control. This vulnerability could also undermine trust in incident response and support processes, as support data archives might inadvertently leak sensitive information. The lack of a patch at the time of disclosure means organizations must rely on compensating controls until a fix is available.

1. Restrict write permissions to the ~/Library/Logs/Aquarius directory to trusted users only, preventing unauthorized creation of symlinks. 2. Implement monitoring and alerting for creation of symbolic links within the log directory using file integrity monitoring tools. 3. Temporarily disable or limit the use of the support data archive generation feature until a vendor patch is released. 4. Conduct regular audits of log directories to detect suspicious symlinks or unexpected files. 5. Apply the vendor-provided patch as soon as it becomes available to ensure proper symlink validation and secure file handling. 6. Review and harden the HelperTool component to prevent privilege escalation, reducing the risk of chained exploitation. 7. Educate users and administrators about the risks of local file manipulation and enforce least privilege principles on macOS systems. 8. Employ endpoint detection and response (EDR) solutions capable of detecting anomalous local file system activities related to symlink exploitation.