CVE-2025-34089

UNKNOWN 0.0

Remote for Mac Unauthenticated Remote Code Execution via AppleScript Injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. When the application is configured with authentication disabled (i.e., the "Allow unknown devices" option is enabled), the /api/executeScript endpoint is exposed without access control. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of the Remote for Mac background process.

CWE	CWE-306 CWE-94
Vendor	aexol studio
Product	remote for mac
Published	Jul 3, 2025
Last Updated	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for aexol studio remote for mac

Be the first to know when new unknown vulnerabilities affecting aexol studio remote for mac are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Aexol Studio / Remote for Mac

* ≤ 2025.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/osx/http/remote_for_mac_rce.rb rapid7.com: https://www.rapid7.com/db/modules/exploit/osx/http/remote_for_mac_rce/ apps.apple.com: https://apps.apple.com/us/app/remote-for-mac/id1086962925 packetstorm.news: https://packetstorm.news/files/id/195347 vulncheck.com: https://vulncheck.com/advisories/remote-for-mac-rce

Credits

Chokri Hammedi