A Vulnerability in Tunnelblick Could Be Exploited Even After Its Removal
Yegor Filatov, a specialist at Positive Technologies, has discovered and helped remediate a serious vulnerability in Tunnelblick, a graphical interface for working with OpenVPN. The flaw allowed privilege escalation on macOS systems and the potential for data theft. What made the issue especially dangerous was that it could still be exploited even after the application was seemingly removed.
Vulnerability Details
The weakness was assigned CVE-2025-43711 and PT-2025-25226, carrying a CVSS 3.1 score of 8.1 out of 10. It affected all versions of Tunnelblick from 3.5beta06 up to 6.1beta2. Exploiting this bug gave attackers a path to escalate privileges on the victim’s machine.
“For a successful attack, the perpetrator would need a user account with the ability to change macOS settings. Since administrative privileges are granted by default, practically anyone could become a victim,” explained Yegor Filatov, Junior Specialist in the Mobile Application Security Research Group at Positive Technologies.
He added that the flaw could only be triggered if Tunnelblick had not been fully uninstalled. Simply dragging the app to the trash was not enough. In that case, a privileged component would remain on the device—something an attacker could exploit.
How the Exploit Works
If the application was only partially removed, attackers could install malware that hijacked the leftover Tunnelblick component. On the next system reboot, their privileges would be escalated automatically, granting full administrative control and the ability to perform any operation on the computer.
Mitigation and Fix
Once notified, the Tunnelblick development team acted quickly and released patched versions. Users are strongly advised to update to Tunnelblick 7.0, 7.1beta01, or later.
For those unable to install the patch, experts recommend two interim measures:
- Do not delete Tunnelblick.app from the
/Applicationsfolder. - Use a standard (non-admin) account for daily work.
Safe Removal Instructions
For users who no longer need Tunnelblick, the developers recommend using the official uninstaller. This can be found in the “VPN Details” window under the “Utilities” panel. If the “Delete” button does not appear, users can download a separate Tunnelblick uninstaller or use a third-party removal tool.
If the application was already moved to the trash, additional cleanup is required. Users should manually delete the privileged component located at:
/Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
Takeaway
This case underscores a common security pitfall: incomplete uninstallation of applications with privileged components can leave systems exposed. Even after software appears to be gone, remnants can provide attackers with dangerous footholds. The safest approach is always to follow vendor-recommended removal methods and keep security-critical applications updated.
