CVE-2025-5687 - Vulnerability Details

- Local privilege escalation vulnerability in Mozilla VPN clients for macOS v2.27.0 and below.

Description

A vulnerability in Mozilla VPN on macOS allows privilege escalation from a normal user to root.
*This bug only affects Mozilla VPN on macOS. Other operating systems are unaffected.*. This vulnerability was fixed in Mozilla VPN 2.28.0 (macOS).

Published: 2025-06-11

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a local privilege escalation flaw in Mozilla VPN on macOS, allowing a normal user to gain root privileges through improper privilege checks in the client software. This escalation lets an attacker modify system settings, install persistent malware, or read sensitive data without authorization. The flaw is classified under CWE-269.

Affected Systems

Affected users run Mozilla VPN for macOS version 2.27.0 or earlier; versions 2.28.0 and later include the fix. Other operating systems, such as Windows or Linux, are not impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates medium‑to‑high severity, but the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires local user access and relies on the macOS client, the attack vector is inferred to be local execution. No public exploit has been reported.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Mozilla VPN 2.28.0

affected

Version	Status	Constraints
`(macOS)`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:vpn:*:*:*:*:*:macos:*:*

No data.

Vendor	Product	Confidence	Versions
Mozilla	Mozilla Vpn	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Mozilla VPN 2.28.0 or newer to all macOS devices.
Temporarily disable VPN service on affected systems until the update is rolled out.
Deploy monitoring to detect unauthorized privilege escalation attempts by local users.

Generated by OpenCVE AI on April 20, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-18102	A vulnerability in Mozilla VPN on macOS allows privilege escalation from a normal user to root. This bug only affects Mozilla VPN on macOS. Other operating systems are unaffected. This vulnerability affects Mozilla VPN 2.28.0 < (macOS).

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00066.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1953736
https://www.mozilla.org/security/advisories/mfsa2025-48/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability in Mozilla VPN on macOS allows privilege escalation from a normal user to root. This bug only affects Mozilla VPN on macOS. Other operating systems are unaffected. This vulnerability affects Mozilla VPN 2.28.0 < (macOS).	A vulnerability in Mozilla VPN on macOS allows privilege escalation from a normal user to root. This bug only affects Mozilla VPN on macOS. Other operating systems are unaffected.. This vulnerability was fixed in Mozilla VPN 2.28.0 (macOS).
Title		Local privilege escalation vulnerability in Mozilla VPN clients for macOS v2.27.0 and below.

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00013}`	epss `{'score': 0.00015}`

Wed, 02 Jul 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla vpn
CPEs		cpe:2.3:a:mozilla:vpn::::::macos::*
Vendors & Products		Mozilla Mozilla vpn

Wed, 11 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-269
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 11 Jun 2025 12:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in Mozilla VPN on macOS allows privilege escalation from a normal user to root. This bug only affects Mozilla VPN on macOS. Other operating systems are unaffected. This vulnerability affects Mozilla VPN 2.28.0 < (macOS).
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1953736 https://www.mozilla.org/security/advisories/mfsa2025-48/

Subscriptions

Mozilla Mozilla Vpn Vpn

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-06-11T12:07:49.739Z

Updated: 2026-04-13T14:31:48.521Z

Reserved: 2025-06-04T14:07:33.129Z

Link: CVE-2025-5687

Vulnrichment

Updated: 2025-06-11T13:33:53.078Z

NVD

Status : Modified

Published: 2025-06-11T12:15:29.023

Modified: 2026-04-13T15:17:05.593

Link: CVE-2025-5687

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object