CVE-2023-37250

HIGH

Unity Parsec < 9.0 - TOCTOU Race Condition

Title source: rule

Description

Unity Parsec has a TOCTOU race condition that permits local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. The application intentionally launches DLLs from a user-owned directory but intended to always perform integrity verification of those DLLs. This affects Parsec Loader versions through 8. Parsec Loader 9 is a fixed version.

Exploits (1)

nomisec WORKING POC 2 stars

by ewilded · poc

https://github.com/ewilded/CVE-2023-37250-POC

View Code ZIP pw:eip

References (3)

Core 3

Core References

Third Party Advisory

https://support.parsec.app/hc/en-us/articles/18311425588237-CVE-2023-37250

Product

https://unity3d.com

Third Party Advisory, US Government Resource

https://www.kb.cert.org/vuls/id/287122

Scores

CVSS v3 7.0

EPSS 0.0011

EPSS Percentile 29.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-367

Status published

Products (1)

unity/parsec < 9.0

Published Aug 20, 2023

Tracked Since Feb 18, 2026