CVE-2023-27326

HIGH

Parallels Desktop < 18.1.1 (53328) - Local Privilege Escalation via Toolgate Directory Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-27326. PoCs published by Impalabs, Malwareman007.

AI-analyzed exploit summary This repository contains a functional kernel module exploit for CVE-2023-27326, targeting a path validation flaw in Parallels Desktop's Toolgate component. The exploit leverages improper input validation to escalate privileges and execute arbitrary code on the host system.

Description

Parallels Desktop Toolgate Directory Traversal Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user on the host system. . Was ZDI-CAN-18933.

Exploits (2)

nomisec WORKING POC 172 stars
by Impalabs · poc
https://github.com/Impalabs/CVE-2023-27326

This repository contains a functional kernel module exploit for CVE-2023-27326, targeting a path validation flaw in Parallels Desktop's Toolgate component. The exploit leverages improper input validation to escalate privileges and execute arbitrary code on the host system.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Parallels Desktop version 18.0.0 (53049)
Auth required
Prerequisites: Local access to a vulnerable Parallels Desktop installation · Kernel module loading capabilities
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 37 stars
by Malwareman007 · poc
https://github.com/Malwareman007/CVE-2023-27326

This repository contains a functional kernel module exploit for CVE-2023-27326, a directory traversal vulnerability in Parallels Desktop's Toolgate component. The exploit leverages improper path validation to achieve local privilege escalation by writing arbitrary files on the host system.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Parallels Desktop version 18.0.0 (53049)
Auth required
Prerequisites: Local access to a vulnerable Parallels Desktop installation · Kernel module loading capabilities
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory x_research-advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-221/
Vendor Advisory vendor-advisory
https://kb.parallels.com/125013

Scores

CVSS v3 8.2
EPSS 0.0126
EPSS Percentile 65.8%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (1)
parallels/parallels_desktop < 18.1.1_\(53328\)
Published May 03, 2024
Tracked Since Feb 18, 2026