CVE-2023-27326

HIGH

Parallels Desktop < 18.1.1_\(53328\) - Path Traversal

Title source: rule
STIX 2.1

Description

Parallels Desktop Toolgate Directory Traversal Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user on the host system. . Was ZDI-CAN-18933.

Exploits (2)

nomisec WORKING POC 172 stars
by Impalabs · poc
https://github.com/Impalabs/CVE-2023-27326
nomisec WORKING POC 37 stars
by Malwareman007 · poc
https://github.com/Malwareman007/CVE-2023-27326

References (2)

Core 2
Core References
Third Party Advisory x_research-advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-221/
Vendor Advisory vendor-advisory
https://kb.parallels.com/125013

Scores

CVSS v3 8.2
EPSS 0.0277
EPSS Percentile 86.1%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (1)
parallels/parallels_desktop < 18.1.1_\(53328\)
Published May 03, 2024
Tracked Since Feb 18, 2026