Critical Security Updates: Privilege Escalation and Remote Code Execution Vulnerabilities Patched in OpenVPN Connect and Veeam
- May 28
- 2 min read
Key Findings
Critical privilege escalation vulnerability (CVE-2026-9560, CVSS 9.4) in OpenVPN Connect for macOS allows local attackers to gain root access
Affected versions 3.5.1 through 3.8.1 contain insecure local IPC handling in the privileged helper component
Version 3.8.2 patches the vulnerability along with authentication and profile management bugs
Enterprise deployments require immediate updates to secure corporate endpoints
Multiple critical flaws discovered in Veeam backup tools including remote code execution (CVE-2026-32998, CVSS 9.4) and privilege escalation vulnerabilities
Background
OpenVPN Connect is a widely deployed virtual private network client used by enterprises and individuals to secure network traffic. The macOS version provides background services that handle system-level networking tasks through a privileged helper component. Similarly, Veeam's backup and management suite is critical infrastructure for enterprise data protection, making these vulnerabilities particularly concerning for organizations relying on these tools.
OpenVPN Connect Local IPC Exploit
The vulnerability stems from insecure inter-process communication between the application and its background privileged helper. An attacker with local system access can craft malicious inputs and send them through the IPC channel to the helper service. The helper then executes these commands with root-level privileges without proper validation. This allows complete system compromise on affected macOS machines.
Researchers Ismael Esquilichi, Pablo Redondo, and Lê Đức Ninh responsibly disclosed the flaw through proper channels. The issue affects all versions from 3.5.1 through 3.8.1 on macOS platforms.
Additional OpenVPN Connect Fixes
Beyond the privilege escalation patch, version 3.8.2 addresses two significant functional issues. The first involves web-based authentication failing when users append trailing characters like slashes or question marks to URLs. This prevented the browser from launching entirely.
The second issue involved profile management becoming unreliable during switches. The import screen sometimes appeared unexpectedly, potentially leading to blank profiles being imported or causing immediate application crashes during migration sequences.
Veeam Service Provider Console Remote Code Execution
Veeam released patches for multiple critical vulnerabilities in its backup infrastructure. The most severe flaw, CVE-2026-32998 with a CVSS score of 9.4, affects the Service Provider Console. The issue involves unsafe script execution parameters within the automated alert system.
Researcher "putsi" discovered this through the HackerOne bug bounty program. Version 9.2.1.33875 contains the fix. As an interim workaround, administrators can disable the vulnerable script path by setting AlarmManagement_ScriptExecution to false in the local configuration JSON file.
Veeam Agent and Appliance Vulnerabilities
Two additional high-severity flaws impact Veeam's endpoint and backup infrastructure. CVE-2026-32996 affects the Windows Agent, allowing a local attacker with low permissions to escalate to administrative control. Researcher "Alibabas" reported this vulnerability.
CVE-2026-32997 impacts the Linux Software Appliance, allowing authenticated backup administrators to write arbitrary files to the system. Upgrading to version 13.0.2 resolves this secondary vulnerability.
Organizations using both OpenVPN Connect and Veeam tools should prioritize immediate patching across all affected systems to prevent exploitation by threat actors.
Sources
https://securityonline.info/openvpn-connect-macos-vulnerability-patched/
https://securityonline.info/veeam-security-vulnerabilities-patches/

Comments