Primary

Context

Speedify VPN Command Injection Vulnerability in XPC Service on macOS

Vulnerability

A command injection vulnerability has been identified in the Speedify VPN application for macOS, specifically in versions prior to 15.0.0. The issue resides in the me.connectify.SMJobBlessHelper XPC service, where attackers can execute arbitrary commands with root privileges. This vulnerability arises from improper validation of user input in the XPC message handler, allowing malicious shell commands to be injected and executed with elevated rights.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with root privileges on the affected macOS system.

Remediation

Users of the Speedify VPN application on macOS who installed the software outside of the App Store should update to version 15.2 or later. Instructions for verifying the installed version are available on the Speedify website.

Added: Dec 23, 2025, 7:18 PM

Updated: Dec 23, 2025, 7:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

3.3

remediation

7.7

relevance

1.7

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

3.3

remediation

7.7

relevance

1.7

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Speedify VPN Command Injection Vulnerability in XPC Service on macOS

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating