CVE-2025-43917
📋 TL;DR
This vulnerability allows administrators with access to /Applications to escalate privileges after uninstalling Pritunl Client. By replacing the removed pritunl-service file with a malicious executable, an attacker can gain root execution via LaunchDaemon. This affects macOS systems running vulnerable versions of Pritunl Client.
💻 Affected Systems
- Pritunl Client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level persistence, allowing complete control over the macOS system, data theft, and lateral movement.
Likely Case
Privilege escalation from administrator to root, enabling installation of backdoors, modification of system files, and bypassing security controls.
If Mitigated
Limited impact if proper application control and privilege separation are enforced, though local administrators could still exploit.
🎯 Exploit Status
Exploitation requires administrator privileges and knowledge of the vulnerability, but the technique is straightforward once known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.4220.57
Vendor Advisory: https://forum.pritunl.com/t/pritunl-client-v1-3-4220-57/3183
Restart Required: No
Instructions:
1. Download Pritunl Client version 1.3.4220.57 or later from official sources. 2. Install the update over existing installation. 3. Verify version is 1.3.4220.57 or higher.
🔧 Temporary Workarounds
Remove vulnerable versions
allUninstall Pritunl Client versions before 1.3.4220.57 and do not reinstall until patched.
sudo rm -rf /Applications/Pritunl.app
sudo launchctl unload /Library/LaunchDaemons/com.pritunl.service.plist
sudo rm /Library/LaunchDaemons/com.pritunl.service.plist
Restrict /Applications access
allLimit administrator access to /Applications directory using macOS permissions or MDM policies.
sudo chmod 755 /Applications
sudo chown root:wheel /Applications
🧯 If You Can't Patch
- Monitor for unauthorized file creation at /Library/LaunchDaemons/com.pritunl.service.plist
- Implement application control to prevent execution of unauthorized binaries from /Applications
🔍 How to Verify
Check if Vulnerable:
Check Pritunl Client version: if version is less than 1.3.4220.57, system is vulnerable.Check Version:
defaults read /Applications/Pritunl.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
Verify Pritunl Client version is 1.3.4220.57 or higher and check that /Library/LaunchDaemons/com.pritunl.service.plist has proper permissions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file creation in /Library/LaunchDaemons/
- Unexpected launchd service executions
- Pritunl Client uninstallation events
Network Indicators:
- None - this is local privilege escalation
SIEM Query:
process.name:pritunl-service AND user.name:root AND process.parent.name:launchd