Shimo VPN Client for MacOS

Root Privilege Escalation


Mailbutler GmbH



Product Version

Shimo for MacOS <

Vulnerability Details

The Shimo VPN Client for MacOS’s com.feingeist.shimo.helper tool LaunchDaemon implements an unprotected XPC service that can be abused to execute scripts as root.

Vendor Response

Mailbutler GmbH responded stating their developer would review.

Disclosure Timeline

  • Contacted Shimno Support

  • Contacted Mailbutler GmbH at [email protected]

  • Received automated response from support system

  • No response Shimno Support

  • No response Mailbutler GmbH

  • Advisory released

  • Mailbutler GmbH response