Skip to main content

Unity Parsec CVE-2026-54424

| EUVDEUVD-2026-41655 HIGH
Incorrect Use of Privileged APIs (CWE-648)
2026-07-04 mitre GHSA-f445-7g93-34v9
8.4
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local elevation of privilege requires an already-authenticated low-privileged user (PR:L, AV:L), no interaction, and yields full SYSTEM compromise (C:H/I:H/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 04, 2026 - 01:27 vuln.today
CVE Published
Jul 04, 2026 - 00:45 cve.org
HIGH 8.4

DescriptionCVE.org

An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege. This issue affects Parsec through v2026-05-04.0. The patched version is Parsec for Windows version 150-104a. A user can generate a situation where there is an instance of parsecd.exe running as NT AUTHORITY\SYSTEM with a user-controlled value of the AppData environment variable.

AnalysisAI

Local privilege escalation in Unity Parsec for Windows (all builds through v2026-05-04.0) lets an unprivileged local user coerce an instance of parsecd.exe to run as NT AUTHORITY\SYSTEM while honoring a user-controlled AppData environment variable, allowing the attacker to redirect the privileged process to resources under their control and gain SYSTEM. The flaw is a CWE-648 misuse of privileged APIs; publicly available exploit code exists (a dedicated CVE GitHub repository and a researcher write-up), and it is fixed in Parsec for Windows 150-104a. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Log in as unprivileged local Windows user
Delivery
Set attacker-controlled AppData environment variable
Exploit
Trigger parsecd.exe launch as NT AUTHORITY\SYSTEM
Execution
SYSTEM process resolves user-controlled paths
Impact
Execute code as SYSTEM and take over host

Vulnerability AssessmentAI

Exploitation Requires local, interactive access to a Windows host running Unity Parsec at or below v2026-05-04.0 as a normal (unprivileged) user; the attacker must be able to set/control the AppData environment variable in their own session and induce an instance of parsecd.exe to launch in the NT AUTHORITY\SYSTEM context. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, base 8.4) captures the full SYSTEM-compromise impact but is optimistic on privileges: this is a local elevation-of-privilege issue, so the attacker must already be a logged-in user on the host, which is more honestly modeled as PR:L than PR:N - flag this PR:N-versus-local-EoP tension when triaging. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard (non-admin) user logged into a shared Windows workstation that has Parsec installed sets the AppData environment variable to a directory they control, then triggers the code path that spawns parsecd.exe as NT AUTHORITY\SYSTEM. The SYSTEM process resolves attacker-controlled paths from that AppData value, letting the user execute code or load resources as SYSTEM and take over the machine. …
Remediation Vendor-released patch: Parsec for Windows version 150-104a - upgrade every Windows host running Parsec to this build or later, per the vendor advisory at https://support.parsec.app/hc/en-us/articles/50612943726612-CVE-2026-54424. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Parsec for Windows deployments running builds through v2026-05-04.0 and restrict local login access to trusted administrators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy