Connectify has successfully resolved a significant security vulnerability in its Speedify macOS VPN application. The vulnerability, which is tracked as CVE-2025-25364, was announced by researchers at SecureLayer7.  The issues had been previously addressed in the February 3rd 15.2 software update.

This issue affects macOS devices which installed a downloaded version of Speedify prior to the February 3rd, 2025 release of Speedify 15.2.  macOS users who installed from the App Store are not affected by this issue.  Speedify users on platforms other than macOS are unaffected as well.

We are unaware of any attackers taking advantage of this vulnerability.  Affected users should upgrade to the latest version immediately.

The vulnerability existed in three key functions of Speedify's helper tool:

• The XPC Message Handler that accepted incoming messages without proper validation
• The _handleLaunchSpeedifyMsg function that extracted command parameters directly from user input
• The _RunSystemCmd function that constructed shell commands from these parameters and executed them with root privileges

This implementation flaw made it possible for attackers to inject malicious shell commands that would be executed with the highest system privileges, potentially leading to  system compromise.

In Speedify 15.2, Speedify's development team completely redeveloped the stand-alone macOS version of Speedify based on more recent Apple APIs. Their comprehensive response included:

1. A complete rewrite of the helper tool architecture, changing from an application that ran as root, to a macOS System Extension.
2. Implementation of strict input validation and sanitization for all parameters.
3. Removal of insecure XPC message handling mechanisms.
4. Rigorous security testing to verify the effectiveness of the fix.

These changes were incorporated into Speedify version 15.2, which was released on February 3rd, 2025.

All Speedify users on macOS systems, who installed outside of the App Store, are strongly advised to:

• Update immediately to the most recent version (currently 15.5, as of April 22nd, 2025), or at least version 15.2. 
• Verify the installation of the correct version through opening the application's settings menu.  The software version is displayed at the bottom of the menu.
• Consider changing system passwords if running potentially vulnerable versions for extended periods.

This incident highlights Connectify's commitment to user security and their responsive approach to addressing vulnerabilities. The company has also enhanced their security review processes for privileged components and implemented additional safeguards to prevent similar issues in future releases.

The swift resolution of this vulnerability demonstrates how seriously Connectify takes its responsibility to protect users who rely on their VPN service for privacy and security.