Login Sign Up

CVE-2023-27322

7.8 HIGH

📋 TL;DR

This vulnerability in Parallels Desktop Service allows local attackers with low-privileged access to escalate to root privileges due to improper environment variable initialization. It affects Parallels Desktop installations on macOS systems where an attacker already has some foothold on the host.

💻 Affected Systems

Products:
  • Parallels Desktop
Versions: Versions prior to 18.1.1
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Parallels Desktop installations on macOS where the Parallels Service is running. Virtual machines themselves are not directly vulnerable.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level code execution, allowing installation of persistent malware, data theft, and full control of the macOS host.

🟠

Likely Case

Local privilege escalation from a standard user account to root, enabling attackers to bypass security controls, install additional tools, and access protected system resources.

🟢

If Mitigated

Limited impact if proper access controls prevent initial low-privileged code execution and service runs with minimal privileges.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring existing local access.
🏢 Internal Only: HIGH - Once an attacker gains any local access (malware, compromised user account), they can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires existing local access but the vulnerability itself is straightforward to exploit once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.1.1 and later

Vendor Advisory: https://kb.parallels.com/125013

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Help > Check for Updates. 3. Install update 18.1.1 or later. 4. Restart the host system.

🔧 Temporary Workarounds

Disable Parallels Service

linux

Temporarily disable the Parallels Service to prevent exploitation while awaiting patch

sudo launchctl unload /Library/LaunchDaemons/com.parallels.vm.prl_*.plist

🧯 If You Can't Patch

  • Restrict local user access to prevent initial low-privileged code execution
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version in About Parallels Desktop or run: /Applications/Parallels\ Desktop.app/Contents/MacOS/prlctl --version

Check Version:

/Applications/Parallels\ Desktop.app/Contents/MacOS/prlctl --version

Verify Fix Applied:

Verify version is 18.1.1 or higher using the same command

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in system logs
  • Parallels Service process spawning unexpected child processes with elevated privileges

Network Indicators:

  • Not applicable - local privilege escalation

SIEM Query:

process where parent_process_name contains 'prl_' and process_name contains 'sudo' or process_user != parent_process_user

📊 Metadata

CVE ID: CVE-2023-27322
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-665
Published: May 3, 2024
Last Updated: August 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27322, you might also want to check these:

CVE-2021-33635 9.8

CVE-2021-33635 is a critical vulnerability in iSulad container runtime where pulling malicious conta...

Same vulnerability type (CWE-665)
CVE-2022-0947 9.0

This vulnerability in ABB ARG600 Wireless Gateway series allows remote attackers to connect to seria...

Same vulnerability type (CWE-665)
CVE-2023-28737 8.8

This vulnerability in Intel Aptio V UEFI Firmware Integrator Tools allows authenticated local users ...

Same vulnerability type (CWE-665)