CVE-2025-4412

On macOS systems, by utilizing a Launch Agent and loading the viscosity_openvpn process from the application bundle, it is possible to load a dynamic library with Viscosity's TCC (Transparency, Consent, and Control) identity. The acquired resource access is limited without entitlements such as access to the camera or microphone. Only user-granted permissions for file resources apply. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 1.11.5 of Viscosity.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/05/tcc-bypass/
https://www.sparklabs.com/viscosity/

Configurations

No configuration.

History

28 May 2025, 15:01

Type	Values Removed	Values Added
Summary		(es) En sistemas macOS, al utilizar un agente de lanzamiento y cargar el proceso dosage_openvpn desde el paquete de la aplicación, es posible cargar una librería dinámica con la identidad TCC (Transparencia, Consentimiento y Control) de Viscosity. El acceso a los recursos adquiridos está limitado, sin permisos como el acceso a la cámara o al micrófono. Solo se aplican los permisos otorgados por el usuario para los recursos de archivo. El acceso a otros recursos, además de los permisos otorgados, requiere la interacción del usuario con un mensaje del sistema solicitando permiso. Este problema se solucionó en la versión 1.11.5 de Viscosity.

27 May 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-27 10:15

Updated : 2025-05-28 15:01

NVD link : CVE-2025-4412

Mitre link : CVE-2025-4412

CVE.ORG link : CVE-2025-4412

JSON object : View

Products Affected

No product.

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2025-4412", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-27T10:15:19.383", "references": [{"url": "https://cert.pl/en/posts/2025/05/tcc-bypass/", "source": "cvd@cert.pl"}, {"url": "https://www.sparklabs.com/viscosity/", "source": "cvd@cert.pl"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "On macOS systems, by utilizing a Launch Agent and loading the viscosity_openvpn process from the application bundle, it is possible to load a dynamic library with Viscosity's TCC (Transparency, Consent, and Control) identity. The acquired resource access is limited without entitlements such as access to the camera or microphone. Only user-granted permissions for file resources apply. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.\n\nThis issue was fixed in version 1.11.5 of Viscosity."}, {"lang": "es", "value": "En sistemas macOS, al utilizar un agente de lanzamiento y cargar el proceso dosage_openvpn desde el paquete de la aplicaci\u00f3n, es posible cargar una librer\u00eda din\u00e1mica con la identidad TCC (Transparencia, Consentimiento y Control) de Viscosity. El acceso a los recursos adquiridos est\u00e1 limitado, sin permisos como el acceso a la c\u00e1mara o al micr\u00f3fono. Solo se aplican los permisos otorgados por el usuario para los recursos de archivo. El acceso a otros recursos, adem\u00e1s de los permisos otorgados, requiere la interacci\u00f3n del usuario con un mensaje del sistema solicitando permiso. Este problema se solucion\u00f3 en la versi\u00f3n 1.11.5 de Viscosity."}], "lastModified": "2025-05-28T15:01:30.720", "sourceIdentifier": "cvd@cert.pl"}