News

Positive Technologies bolsters security for Tunnelblick, a popular VPN app

Tunnelblick's graphical interface allows users to manage OpenVPN servers on macOS.

Tunnelblick, the go-to graphical interface for OpenVPN on macOS, just got safer thanks to a major security fix. The security issue, discovered by PT SWARM's Egor Filatov, put Apple users at risk—even those who thought they were safe after deleting the app. If exploited, the vulnerability allowed attackers to elevate their system privileges and steal data. Companies whose employees use Tunnelblick on their work devices could face the risk of a cyberattack spreading to the corporate IT infrastructure.

Tunnelblick is an open-source graphical interface for OpenVPN, the world's second most popular VPN solution. In July, 3,100 users added Tunnelblick to their favorites, and its GitHub repository has been forked more than 350 times.

The vulnerability, tracked as CVE-2025-43711, received a CVSS 3.1 score of 8.1 out of 10, indicating high severity. The bug affected all versions of Tunnelblick from 3.5beta06 up to 6.1beta2. Given the right conditions, an attacker could gain elevated privileges on a victim's computer. If the attack targeted a corporate device, the hacker could gain a foothold in the organization's network to steal data, run ransomware, or otherwise disrupt business processes.

"For a successful attack, an intruder would need a user account with permission to change macOS settings. Since admin rights are granted by default, almost anyone could be at risk. Another condition: the vulnerability could be exploited only if Tunnelblick was uninstalled incompletely—for example, by simply moving it to the trash. In that case, the device would retain a component operating with elevated privileges, which could be exploited by an attacker."

Egor Filatov
Egor FilatovJunior Mobile Application Security Researcher at Positive Technologies

If the application was not completely removed, an attacker could place malware on the victim's device that uses Tunnelblick's privileged component. The next time the computer is turned on, the attacker's privileges would be automatically elevated, giving them permission to perform any action.

The vendor was notified of the threat under responsible disclosure policy and has released security updates. Users should update Tunnelblick to version 7.0, 7.1beta01, or later. If updating isn't possible, the vendor and Positive Technologies recommend two ways to stay safe while continuing to use Tunnelblick: do not remove Tunnelblick.app from the /Applications folder, or use a standard (non-admin) user account.

Apple computer owners who no longer need Tunnelblick are advised by the project team to uninstall the app using its built-in uninstaller. To do this, open the "VPN Details" window and look for the "Utilities" panel. If there is no "Uninstall" button, use a separate Tunnelblick Uninstaller or any other uninstaller. If you have already moved the app to the trash, delete the file located at /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist. Alternatively, reinstall any version of Tunnelblick and then uninstall it as recommended.