CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands

Cybersecurity News Archived May 28, 2026 ✓ Full text saved

A critical privilege escalation vulnerability has been discovered in OpenVPN Connect for macOS, enabling local attackers to execute arbitrary commands with elevated privileges through the application’s background service component. Tracked as CVE-2026-9560, the flaw affects all versions from 3.5.1 through 3.8.1 and has been assigned a CVSS 4.0 base score of 9.4 (Critical). The security […] The post Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands appeared

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands By Guru Baran May 28, 2026 A critical privilege escalation vulnerability has been discovered in OpenVPN Connect for macOS, enabling local attackers to execute arbitrary commands with elevated privileges through the application’s background service component. Tracked as CVE-2026-9560, the flaw affects all versions from 3.5.1 through 3.8.1 and has been assigned a CVSS 4.0 base score of 9.4 (Critical). The security flaw resides in OpenVPN Connect’s macOS privileged helper component, a background service responsible for managing VPN connections with elevated system privileges. The vulnerability is classified under CWE-78 (OS Command Injection) and is exploitable via a local IPC (Inter-Process Communication) channel. By communicating directly with this background service through the local IPC channel, a threat actor already present on the system can inject and execute arbitrary OS commands as root without requiring user interaction. The flaw was responsibly disclosed and credited to security researchers Ismael Esquilichi, Pablo Redondo, and Lê Đức Ninh. As of publication, there are no public proof-of-concept exploits and no confirmed cases of active exploitation in the wild. Alongside the critical CVE fix, OpenVPN also addressed two other bugs in the same release: Browser authentication failure — Fixed an issue where a server URL ending with /, ?, or # Prevented the app from launching the browser for web-based authentication. Blank profile import crash — Fixed a UI issue where the manual profile import screen appeared unexpectedly, potentially causing a blank profile to be imported or the app to crash when switching profiles. Mitigation Steps Security teams and macOS users running OpenVPN Connect should act immediately: Update immediately to the latest version of OpenVPN Connect beyond 3.8.1. Restrict local access to all systems running affected versions. Monitor for unusual IPC communication with OpenVPN background processes. Audit endpoint access controls to minimize local attack surface on managed devices. Given that this is a local privilege escalation flaw, organizations should treat any unpatched endpoint as a potential lateral movement risk, particularly in environments where multiple users share access to macOS systems. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News CISA adds Langflow Origin Validation Flaw to Known Exploited Vulnerabilities Catalog CISA Warns of Drupal Core SQL Injection Vulnerability Exploited in Attacks New BTMOB Malware Lets Attackers Remotely Control Android Devices Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns Latest News Cyber Security News VaultJacking Attack Steals Entire Google Password Manager Vault With One Captured PIN Cyber Security News AI-Generated npm Malware Accidentally Exposes Threat Actor’s Private GitHub Token Cyber Security News Claude Opus 4.8 Released With Ability to Work as an Experienced Engineer Cyber Security New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely Cyber Security News Hackers Deploy VIP Keylogger Through Phishing Emails Masquerading as Business Documents
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗