cbcvebase.
CVE-2025-34089
published 2025-07-03

CVE-2025-34089: An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to…

PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.39%
68.9th percentile
An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. When the application is configured with authentication disabled (i.e., the "Allow unknown devices" option is enabled), the /api/executeScript endpoint is exposed without access control. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of the Remote for Mac background process.

Affected

1 ranges
VendorProductVersion rangeFixed in
aexol_studioremote_for_mac<= 2025.7

Detection & IOCsextracted from sources · hover to see the quote

url/api/executeScript
otherX-Script
  • Monitor for unauthenticated HTTP requests to the /api/executeScript endpoint on the Remote for Mac service port. Any POST/GET to this path from an unknown or external source should be treated as a potential exploitation attempt.
  • Inspect HTTP traffic for the presence of the X-Script header containing AppleScript or `do shell script` constructs, which is the injection vector for this vulnerability.
  • Alert on process execution chains where the Remote for Mac background process spawns unexpected child processes (e.g., shell commands), as successful exploitation results in arbitrary command execution under that process's privileges.
  • The Metasploit module for this CVE targets macOS HTTP services; correlate exploit framework signatures or known Metasploit payloads against traffic to the Remote for Mac service.
  • ·The vulnerability is only exploitable when the 'Allow unknown devices' option is enabled (authentication disabled). Systems with authentication enabled are NOT exposed to unauthenticated exploitation.
  • ·All patch versions up to and including 2025.7 are confirmed vulnerable; version-based filtering alone is insufficient to determine exposure without also checking the authentication configuration.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.