CVE-2025-4412: 
Viscosity vulnerability analysis and mitigation

CVE-2025-4412 is a security vulnerability affecting macOS systems running Viscosity through version 1.11.4. The vulnerability was discovered and reported to CERT Polska, with the disclosure date being May 26, 2025. The issue affects the Viscosity OpenVPN client application and involves improper handling of TCC (Transparency, Consent, and Control) permissions (CERT Polska, CVE Mitre).

The vulnerability allows an attacker to utilize a Launch Agent and load the viscosity_openvpn process from the application bundle, enabling the loading of a dynamic library with Viscosity's TCC identity. The vulnerability is classified under CWE-276 (Incorrect Default Permissions). The acquired resource access is limited without entitlements such as access to the camera or microphone, with only user-granted permissions for file resources applying (CERT Polska).

The impact of this vulnerability is primarily focused on permission escalation within the TCC framework on macOS systems. While the vulnerability allows access to resources with Viscosity's TCC identity, it is limited to previously granted permissions for file resources. Any attempt to access additional resources beyond granted permissions would trigger a system prompt requesting user permission (CERT Polska).

The vulnerability has been fixed in version 1.11.5 of Viscosity. Users are advised to update to this version to mitigate the security risk (SparkLabs, CERT Polska).