CVE-2025-4412: 
Viscosity vulnerability analysis and mitigation

CVE-2025-4412 affects macOS systems running Viscosity through version 1.11.4. The vulnerability was discovered and disclosed on May 26, 2025, and involves improper handling of TCC (Transparency, Consent, and Control) permissions in the Viscosity OpenVPN client application (CERT Polska, NVD).

The vulnerability allows an attacker to utilize a Launch Agent and load the viscosity_openvpn process from the application bundle, enabling the loading of a dynamic library with Viscosity's TCC identity. The vulnerability is classified under CWE-276 (Incorrect Default Permissions) and has received a CVSS v4.0 score of 4.8 MEDIUM (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) (NVD).

The impact of this vulnerability is limited in scope. The acquired resource access is restricted without entitlements such as access to the camera or microphone. Only user-granted permissions for file resources apply, and access to other resources beyond granted permissions requires user interaction with a system prompt asking for permission (CERT Polska, Wiz).

This vulnerability has been fixed in version 1.11.5 of Viscosity. Users are advised to update to this version to mitigate the security risk (SparkLabs, CERT Polska).