How to fix EUVD-2025-16718?

Within 24 hours: Identify and inventory all Parallels Desktop 20.2.2 installations across the organization and restrict access to affected systems. Within 7 days: Implement network-level restrictions to prevent untrusted PVMP package sources from being processed; disable PVMP package unpacking if not operationally required. Within 30 days: Migrate affected systems to patched versions as soon as vendor releases patches; monitor vendor security advisories for patch availability and deploy immediately upon release.

Is Parallels Desktop affected by EUVD-2025-16718?

A high-severity vulnerability in Parallels Desktop for Mac version 20.2.2 allows attackers to write arbitrary files and potentially gain elevated system privileges.

EUVD-2025-16718

| CVE-2025-31359 HIGH

2025-06-03 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16718

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

PoC Detected

Jul 02, 2025 - 14:47 vuln.today

Public exploit code

CVE Published

Jun 03, 2025 - 10:15 nvd

HIGH 8.8

Description

A directory traversal vulnerability exists in the PVMP package unpacking functionality of Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability can be exploited by an attacker to write to arbitrary files, potentially leading to privilege escalation.

Analysis

Directory traversal vulnerability in Parallels Desktop for Mac version 20.2.2 (build 55879) affecting the PVMP package unpacking functionality. An authenticated local attacker with limited privileges can exploit this flaw to write arbitrary files to the system, potentially achieving privilege escalation with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user interaction is not needed, making it a significant risk for multi-user or shared Mac environments.

Technical Context

The vulnerability exists in the PVMP (Parallels Virtual Machine Package) unpacking mechanism used by Parallels Desktop for Mac. PVMP files are container formats for virtual machine configurations and data. The directory traversal flaw (CWE-22) occurs when the unpacking routine fails to properly validate and sanitize file paths extracted from PVMP archives before writing them to disk. This allows path traversal sequences (e.g., '../../../') to escape intended directories and write files to arbitrary locations on the filesystem. The affected product is CPE:2.3:a:parallels:desktop:20.2.2:*:*:mac:*:*:*:*. This is a path validation issue in archive extraction logic, a well-known attack vector when input sanitization is insufficient.

Affected Products

Parallels Desktop for Mac (20.2.2 (build 55879))

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +44

POC: +20

EUVD-2025-16718 vulnerability details – vuln.today

Back

EUVD-2025-16718

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-16718

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code