tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

Vertical Escalation of Privileges CVE-2025-43711

On This Page
    What is the vulnerability?
    Prerequisites to exploiting the vulnerability
    Exploiting the vulnerability
    Preventing an attack
        If you want to keep using Tunnelblick
        If you do not want to use Tunnelblick
    FAQ
        How can I tell if my computer is vulnerable to the attack?
        What versions of Tunnelblick are affected?
        What is an "incomplete" uninstall?
        Does Tunnelblick need to be installed for the attack to work?
        Does uninstalling Tunnelblick prevent the attack?
            What can I do to protect my computer if I have already dragged Tunnelblick to the Trash?
    Timeline

On 2025-03-14 Egor Filatov (Positive Technologies) informed Tunnelblick developers of a security vulnerability in Tunnelblick. This vulnerability has been assigned CVE-2025-43711. The developers released new versions of Tunnelblick to address the vulnerability on 2025-04-22.

What is the vulnerability?

The vulnerability is a vertical escalation of privileges which allows an attacker to obtain root privileges without any authentication or authorization if

  • A vulnerable version of Tunnelblick has been installed, and
  • That version has been uninstalled incompletely, and
  • An administrator is logged in, and
  • The computer is unlocked, and
  • The attacker is is able to use Finder either locally or via remote control.

The vulnerability does not give the attacker more privileges than the logged-in administrator could obtain by providing a password, fingerprint, or other authentication and authorization, but no such authentication or authorization is required.

The vulnerability cannot be exploited on computers that have Tunnelblick installed; it can only be exploited on computers on which Tunnelblick was installed and then incompletely uninstalled.

The vulnerability cannot be exploited if only a standard user is logged in. However, the first user created when macOS is installed is an administrator, and that is the user used by most macOS users.

Prerequisites to exploiting the vulnerability

  1. Tunnelblick must have been installed, which requires authentication and authorization by an administrator.
  2. The Tunnelblick application must have later been moved to the Trash or deleted, either of which requires authentication and authorization by an administrator.
  3. An administrator must be logged in. (The initial user created when macOS is installed is an administrator).
  4. The computer must be unlocked.

Exploiting the vulnerability

  1. The attacker must use Finder to drag a specially-crafted Tunnelblick.app into /Applications. No authentication or authorization will be required.

The next time the computer starts, macOS will run a program inside the specially-crafted Tunnelblick.app as root, before any user is logged in.

Preventing an attack

If you want to keep using Tunnelblick

Update to Tunnelblick 7.0 or later, or 7.1beta01 or later, by using the built-in updater or by downloading and installing the new version over an old version. Both methods will preserve VPN configurations and settings.

If you cannot update (for example, because you are using an older version of macOS which cannot run Tunnelblick 7.0 or later or 7.1beta01 or later):

  • Do not remove Tunnelblick.app from /Applications; or

  • Always run as a standard user, not an administrator; or

  • Do not leave your computer unattended while it is unlocked and a administrator is logged in.

Any one of these will prevent the attack.

If/when you no longer wish to use Tunnelblick, uninstall it using the built-in uninstaller on the "Utilities" panel of Tunnelblick's "VPN Details" window, or using a the standalone Tunnelblick Uninstaller. For details, see Uninstalling Tunnelblick.

If you do not want to use Tunnelblick

  • To completely removal of Tunnelblick, uninstall it using the "Uninstall" button in the "Utilities" panel of Tunnelblick's "VPN Details" window.

  • If you have an old version of Tunnelblick which does not have an "Uninstall" button, use the standalone Tunnelblick Uninstaller. For details, see Uninstalling Tunnelblick.

  • If you have already uninstalled Tunnelblick by dragging it to the Trash and do not want to uninstall Tunnelblick using the above methods, deleting
    /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
    will prevent the attack, although it will leave some pieces of Tunnelblick installed. An alternative is to install any version of Tunnelblick and then completely uninstall it using the built-in uninstaller or a standalone installer as described above.

FAQ

How can I tell if my computer is vulnerable to the attack?

Your computer is vulnerable to the attack:

  • If there no Tunnelblick.app in /Applications; and
  • There is a file at /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist

What versions of Tunnelblick are affected?

Affected:

  • Tunnelblick 3.5beta06 up to and including Tunnelblick 6.1beta2.

Not affected:

  • Versions before 3.5beta06 or after 6.1beta2.

What is an "incomplete" uninstall?

An uninstall is considered complete if it was done by the Tunnelblick program's built-in uninstaller or the standalone Tunnelblick Uninstaller. Some third-party "uninstall" or "clean up" programs may also perform complete uninstalls.

Anything else is considered "incomplete". For example, if Tunnelblick was dragged from /Applications to the Trash, that is an incomplete uninstall.

Does Tunnelblick need to be installed for the attack to work?

  • A vulnerable version of Tunnelblick must have been installed at one time, and it must have been uninstalled incompletely for the attack to work.

  • The attack will not work if Tunnelblick is still installed, or if it was uninstalled using its built-in uninstaller or the standalone Tunnelblick Uninstaller.

Does uninstalling Tunnelblick prevent the attack?

Yes, but only if Tunnelblick was uninstalled by using its built-in uninstaller or the standalone Tunnelblick Uninstaller. Uninstallation using some third-party "uninstall" or "clean up" programs may also prevent the attack.

What can I do to protect my computer if I have already dragged Tunnelblick to the Trash?

See If you do not want to use Tunnelblick, above.

Timeline

2025-03-14 Initial report from Egor Filatov (Postive Technologies) to Tunnelblick developers.

2025-03-18 Tunnelblick developers understand and can reproduce the problem.

2025-03-25 Tunnelblick developers have an initial fix for the problem and started testing and refining it.

2025-03-28 Tunnelblick developers applied to MITRE Corporation for a CVE ID.

2025-04-16 MITRE assigned CVE-2025-43711 to the vulnerability.

2025-04-22 Tunnelblick 7.0 and 7.1beta01, which fix the problem, were released.

2025-06-04 Details of the vulnerability and this page were published.