Aexol Studio Remote for Mac Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Remote for Mac, a macOS remote control utility by Aexol Studio, affecting versions through 2025.7. The vulnerability arises in the /api/executeScript endpoint, which is exposed without access control when the application is configured to allow unknown devices. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads, executed with the privileges of the Remote for Mac background process, potentially leading to unauthorized command execution on the macOS host.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the affected macOS system, with executed commands running under the context of the Remote for Mac background process.

Reproduction

To reproduce this vulnerability, disable authentication in the Remote for Mac application by enabling the 'Allow unknown devices' option. Once this is set, the /api/executeScript endpoint can be accessed without authentication. An attacker can then send a request to this endpoint with the X-Script header containing the desired AppleScript payload. The injected script will be executed on the victim's machine, allowing for remote code execution.