Cyber Resilience

CVE-2025-14979

HighPublic PoCLPE

Published: 06 January 2026

Published
06 January 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 4.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-14979 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Airvpn Eddie. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-14979 affects AirVPN Eddie version 2.24.6 on macOS, where an insecure XPC service enables local privilege escalation. Specifically, the vulnerability, tied to CWE-732 (Incorrect Permission Assignment for Critical Resource), allows unprivileged users to gain root access. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with local access required.

A local attacker with low privileges can exploit the insecure XPC service to elevate to root privileges, achieving high confidentiality, integrity, and availability impacts. This grants full system compromise, such as executing arbitrary code, modifying critical files, or disrupting services.

Advisories reference a patch in Eddie Desktop Edition 2.25 beta, released via AirVPN forums. Further details appear in Fluid Attacks' advisory (blink182), the Eddie website, and the AirVPN Eddie GitHub repository.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Insecure XPC service with incorrect permissions (CWE-732) directly enables local exploitation for privilege escalation to root on macOS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21325Shared CWE-732
CVE-2025-12985Shared CWE-732
CVE-2026-25112Shared CWE-732
CVE-2025-22454Shared CWE-732
CVE-2026-8110Shared CWE-732
CVE-2024-55411Shared CWE-732
CVE-2024-11497Shared CWE-732
CVE-2026-24834Shared CWE-732
CVE-2026-41217Shared CWE-732
CVE-2025-21571Shared CWE-732

Affected Assets

airvpn
eddie
2.24.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent unprivileged local users from escalating to root via the insecure XPC service.

prevent

Ensures secure configuration settings for critical resources like the XPC service to correct improper permission assignments (CWE-732).

prevent

Mandates timely flaw remediation through patching, as provided in AirVPN Eddie 2.25 beta, to eliminate the privilege escalation vulnerability.

References