CVE-2025-25364

Name of the Vulnerable Software and Affected Versions Speedify VPN versions up to 15.0.0 Speedify VPN version 15.4.1

Description A command injection flaw exists in the me.connectify.SMJobBlessHelper XPC service of Speedify VPN. This issue allows attackers to execute arbitrary commands with root-level privileges. The flaw resides in improper input validation within the XPC interface of the helper tool, specifically in the cmdPath and cmdBin fields. Successful exploitation can lead to local privilege escalation, enabling attackers to read, modify, or delete critical system files and potentially install persistent malware. The vulnerability, identified as CVE-2025-25364, was addressed with version 15.4.1, which includes a complete rewrite of the vulnerable helper tool.

Recommendations Speedify VPN versions up to 15.0.0: Upgrade to version 15.4.1 or later. Speedify VPN version 15.0.0: Update to version 15.4.1 to address the command injection vulnerability.