CVE-2025-43711
📋 TL;DR
This vulnerability in Tunnelblick allows attackers to execute arbitrary code with root privileges when a user drags a malicious Tunnelblick.app file into the /Applications folder after an incomplete uninstallation. It affects macOS users running vulnerable Tunnelblick versions. The attack triggers upon the next system boot.
💻 Affected Systems
- Tunnelblick
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level persistence, allowing complete control over the macOS system, data theft, and lateral movement.
Likely Case
Local privilege escalation leading to unauthorized access, data exfiltration, or installation of additional malware.
If Mitigated
No impact if proper uninstallation procedures are followed and only trusted applications are installed.
🎯 Exploit Status
Requires local file placement via social engineering, physical access, or compromised user account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0 and later
Vendor Advisory: https://tunnelblick.net/cCVE-2025-43711.html
Restart Required: Yes
Instructions:
1. Download Tunnelblick 7.0 or later from https://tunnelblick.net/downloads.html. 2. Install the new version. 3. Restart your system to ensure clean state.
🔧 Temporary Workarounds
Complete Uninstallation
allProperly uninstall Tunnelblick using official uninstaller to remove all components.
Open Tunnelblick, go to 'VPN Details', click 'Uninstall Tunnelblick'
Application Folder Protection
linuxMonitor /Applications folder for unauthorized Tunnelblick.app files.
sudo chmod 755 /Applications
ls -la /Applications | grep Tunnelblick
🧯 If You Can't Patch
- Ensure Tunnelblick is completely uninstalled using official uninstaller
- Restrict write access to /Applications folder and monitor for unauthorized files
🔍 How to Verify
Check if Vulnerable:
Check if Tunnelblick version is between 3.5beta06 and before 7.0, and if residual Tunnelblick components exist after uninstallation.Check Version:
Open Tunnelblick → 'VPN Details' → 'Version' or check 'About Tunnelblick'Verify Fix Applied:
Verify Tunnelblick version is 7.0 or later and no unauthorized Tunnelblick.app exists in /Applications.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file creation in /Applications
- Unexpected Tunnelblick.app execution at boot
Network Indicators:
- Unusual outbound connections from Tunnelblick process
SIEM Query:
process_name:"Tunnelblick" AND parent_process:"launchd" AND command_line:"/Applications/Tunnelblick.app*"