CVE-2024-54189

| EUVD-2024-54642 HIGH
2025-06-03 [email protected]
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 17:04 euvd
EUVD-2024-54642
Analysis Generated
Mar 14, 2026 - 17:04 vuln.today
PoC Detected
Jul 02, 2025 - 14:49 vuln.today
Public exploit code
CVE Published
Jun 03, 2025 - 10:15 nvd
HIGH 7.8

Tags

Privilege Escalation Parallels Desktop

Description

A privilege escalation vulnerability exists in the Snapshot functionality of Parallels Desktop for Mac version 20.1.1 (build 55740). When a snapshot of a virtual machine is taken, a root service writes to a file owned by a normal user. By using a hard link, an attacker can write to an arbitrary file, potentially leading to privilege escalation.

Analysis

Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) where the snapshot functionality allows a local attacker with user-level privileges to write arbitrary files via hard link exploitation of a root-owned process. An attacker can leverage this to escalate privileges from a normal user to root, potentially achieving full system compromise. The vulnerability has a CVSS score of 7.8 (high severity) and requires local access with low complexity.

Technical Context

The vulnerability exists in Parallels Desktop's snapshot mechanism, which operates with elevated privileges. When a snapshot is initiated, a root-level service writes to a file that is accessible to the unprivileged user who initiated the snapshot. This represents a Time-of-check-Time-of-use (TOCTOU) race condition combined with insecure temporary file handling. The root cause is classified as CWE-62 (Improper Validation of Specified Quantity in Input), which encompasses improper file ownership and permissions validation. By creating a hard link pointing to a sensitive system file (such as ~/.ssh/authorized_keys, launchd configurations, or other privilege-sensitive paths), an attacker can cause the root process to write to these locations when the snapshot operation occurs. The affected product is Parallels Desktop for Mac, specifically version 20.1.1 with build identifier 55740. CPE identification would be: cpe:2.3:a:parallels:parallels_desktop:20.1.1:*:*:*:*:macos:*:* with build 55740.

Affected Products

Parallels Desktop for Mac (['20.1.1 (build 55740)'])

Remediation

Upgrade Parallels Desktop for Mac from version 20.1.1 (build 55740) to the next available patched release. Workaround: Disable VM snapshot feature in Parallels Desktop settings or restrict snapshot operations to administrator users only via access controls. Mitigation: Use macOS Security & Privacy settings to restrict Parallels Desktop permissions; monitor /tmp and /var/tmp for suspicious hard link creation during snapshot operations. Detection: Implement file integrity monitoring (FIM) and audit logging for hard link creation to sensitive paths (~/.ssh, /etc/sudoers.d, /Library/LaunchDaemons, etc.).

Priority Score

59
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +39
POC: +20

Share

CVE-2024-54189 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy