CVE-2025-34089

Name of the Vulnerable Software and Affected Versions Remote for Mac versions prior to 2025.7

Description An unauthenticated remote code execution issue exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio. When the application is configured with authentication disabled, the /api/executeScript API endpoint is exposed without access control. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of the Remote for Mac background process.

Recommendations Update Remote for Mac to a version later than 2025.7.