CVE-2025-3651 CRITICAL

CVE-2025-3651: Command Injection in iManage Work Desktop for Mac's Agent Service

Vendor Imanage
Product Work Desktop for Mac
Weakness CWE-346 · Origin validation
Published April 17, 2025
Last update April 17, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

Improper Verification of Source of a Communication Channel in Work Desktop for Mac versions 10.8.1.46 and earlier allows attackers to execute arbitrary commands via unauthorized access to the Agent service.  This has been remediated in Work Desktop for Mac version 10.8.2.33.

Key dates

02Disclosure timeline

April 17, 2025 CVE published
April 17, 2025 Record updated