Remote Code Execution Vulnerability in Remote for Mac by Aexol Studio
CVE-2025-34089

9.3CRITICAL

Key Information:

Vendor

Aexol Studio

Status
Remote For Mac
Vendor
CVE Published:
3 July 2025

Badges

📈 Score: 328👾 Exploit Exists🟡 Public PoC🟣 EPSS 56%

What is CVE-2025-34089?

CVE-2025-34089 is a remote code execution vulnerability identified in Remote for Mac, a macOS utility developed by Aexol Studio, designed for remote control functionalities. The vulnerability arises when the application is set to allow connections from unknown devices, disabling authentication. Specifically, the security flaw exists in the /api/executeScript endpoint, which lacks adequate access controls. Consequently, this allows unauthenticated attackers to execute arbitrary AppleScript commands by using the X-Script HTTP header. Exploiting this vulnerability grants unauthorized users the ability to execute commands on the macOS system under the privileges of the Remote for Mac background process. This can lead to significant compromises within the affected organization, including unauthorized data access and system manipulation.

Potential impact of CVE-2025-34089

  1. Unauthorized Command Execution: Attackers can leverage this vulnerability to run arbitrary commands on an affected macOS system, potentially leading to full system compromise. This capability allows malicious actors to manipulate system operations, access sensitive data, or install additional malicious software.

  2. Data Breaches: The exploitation of this vulnerability could lead to unauthorized access to confidential information stored on the compromised system. Given that Remote for Mac may be used to access critical business data, the potential for serious data breaches poses significant risks to organizational security and compliance.

  3. Escalation of Attacks: Successful exploitation can serve as a foothold for further attacks within an organization’s network. An attacker may use access gained through this vulnerability to move laterally, potentially affecting additional systems and increasing the overall impact of the security incident.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Remote for Mac * <= 2025.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34089 - Proof of Concept

CVE-2025-34089 - Proof of Concept

CVE-2025-34089 - Proof of Concept

References

https://raw.githubusercontent.com/rapid7/metasploit-frame...
exploit
https://www.rapid7.com/db/modules/exploit/osx/http/remote...
third-party-advisory
https://apps.apple.com/us/app/remote-for-mac/id1086962925
product

EPSS Score

56% chance of being exploited in the next 30 days.

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chokri Hammedi
JSON
.