CVE-2023-27326 – This vulnerability allows local attackers with ... (How to Fix)

Q: What is the severity of CVE-2023-27326?

CVE-2023-27326 has a CVSS score of 8.2 (HIGH). This vulnerability allows local attackers with high-privileged code execution on a Parallels Desktop guest system to escalate privileges on the host system via directory traversal in the Toolgate component. It affects Parallels Desktop installations where untrusted users can execute code on guest virtual machines. The flaw enables arbitrary code execution in the context of the current host user.

📋 TL;DR

This vulnerability allows local attackers with high-privileged code execution on a Parallels Desktop guest system to escalate privileges on the host system via directory traversal in the Toolgate component. It affects Parallels Desktop installations where untrusted users can execute code on guest virtual machines. The flaw enables arbitrary code execution in the context of the current host user.

💻 Affected Systems

Products:

Parallels Desktop

Versions: Versions prior to 18.1.1

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where attackers can execute high-privileged code on guest virtual machines first.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host system with full user privileges, allowing installation of persistent malware, data theft, and lateral movement to other systems.

🟠

Likely Case

Local privilege escalation from guest VM to host system, enabling attackers to bypass security controls and execute arbitrary code with host user permissions.

🟢

If Mitigated

Limited impact if proper access controls prevent untrusted users from executing code on guest VMs and host systems are regularly patched.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring initial access to execute code on a guest VM.

🏢 Internal Only: HIGH - Malicious insiders or compromised guest VMs can exploit this to escalate privileges on the host system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to execute high-privileged code on guest VM first. Directory traversal through Toolgate component leads to host privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.1.1 or later

Vendor Advisory: https://kb.parallels.com/125013

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Help > Check for Updates. 3. Install update to version 18.1.1 or later. 4. Restart affected virtual machines and host system.

🔧 Temporary Workarounds

Restrict Guest VM Access

all

Limit who can execute code on guest virtual machines and implement strict access controls.

Disable Unnecessary VMs

all

Shut down or suspend virtual machines not actively in use to reduce attack surface.

🧯 If You Can't Patch

Implement strict access controls to prevent untrusted users from executing code on guest VMs
Monitor for suspicious activity between guest VMs and host system, particularly file operations involving Toolgate component

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version: Open Parallels Desktop > About Parallels Desktop. If version is earlier than 18.1.1, system is vulnerable.

Check Version:

Open Parallels Desktop and navigate to Help > About Parallels Desktop

Verify Fix Applied:

Verify version is 18.1.1 or later in About Parallels Desktop dialog.

📡 Detection & Monitoring

Log Indicators:

Unusual file operations involving Toolgate component
Privilege escalation attempts from guest VM to host

Network Indicators:

Suspicious inter-VM communication patterns

SIEM Query:

source="parallels" AND (event="toolgate_access" OR event="privilege_escalation")

📊 Metadata

CVE ID: CVE-2023-27326

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-22

Published: May 3, 2024

Last Updated: August 6, 2025

🔗 References

https://kb.parallels.com/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-221/ Third Party Advisory
https://kb.parallels.com/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-221/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27326, you might also want to check these: