Critical OpenVPN macOS Flaw Allows Arbitrary Command Execution

A critical privilege escalation vulnerability affects OpenVPN Connect for macOS. Local attackers can exploit this flaw to execute arbitrary commands with elevated privileges, leveraging the application’s background service component.

Tracked as CVE-2026-9560, the flaw affects all versions from 3.5.1 through 3.8.1 and has been assigned a CVSS 4.0 base score of 9.4 (Critical).

The security flaw resides in OpenVPN Connect’s macOS privileged helper component, a background service responsible for managing VPN connections with elevated system privileges.

The vulnerability is classified under CWE-78 (OS Command Injection) and is exploitable via a local IPC (Inter-Process Communication) channel.

By communicating directly with this background service through the local IPC channel, a threat actor already present on the system can inject and execute arbitrary OS commands as root without requiring user interaction.

The flaw was responsibly disclosed and credited to security researchers Ismael Esquilichi, Pablo Redondo, and Lê Đức Ninh. As of publication, there are no public proof-of-concept exploits and no confirmed cases of active exploitation in the wild.

Alongside the critical CVE fix, OpenVPN also addressed two other bugs in the same release:

• Browser authentication failure — Fixed an issue where a server URL ending with /, ?, or # Prevented the app from launching the browser for web-based authentication.
• Blank profile import crash — Fixed a UI issue where the manual profile import screen appeared unexpectedly, potentially causing a blank profile to be imported or the app to crash when switching profiles.

Mitigation Steps

Security teams and macOS users running OpenVPN Connect should act immediately:

• Update immediately to the latest version of OpenVPN Connect beyond 3.8.1.
• Restrict local access to all systems running affected versions.
• Monitor for unusual IPC communication with OpenVPN background processes.
• Audit endpoint access controls to minimize local attack surface on managed devices.

Given that this is a local privilege escalation flaw, organizations should treat any unpatched endpoint as a potential lateral movement risk, particularly in environments where multiple users share access to macOS systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.