CVE-2023-27328 – This vulnerability allows local attackers on Pa... (How to Fix)

Q: What is the severity of CVE-2023-27328?

CVE-2023-27328 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers on Parallels Desktop guest systems to escalate privileges by exploiting XML injection in the Toolgate component. Attackers must first execute low-privileged code on the guest system, then can leverage the flaw to execute arbitrary code with hypervisor privileges. Affects Parallels Desktop installations with vulnerable Toolgate components.

📋 TL;DR

This vulnerability allows local attackers on Parallels Desktop guest systems to escalate privileges by exploiting XML injection in the Toolgate component. Attackers must first execute low-privileged code on the guest system, then can leverage the flaw to execute arbitrary code with hypervisor privileges. Affects Parallels Desktop installations with vulnerable Toolgate components.

💻 Affected Systems

Products:

Parallels Desktop

Versions: Versions prior to 18.1.1

Operating Systems: macOS (host), Windows/Linux (guest VMs)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default installations where Toolgate component is enabled. Guest VM operating system type doesn't matter as long as Parallels Tools/Toolgate is installed.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the hypervisor host system, allowing attacker to escape guest VM isolation and gain full control over the host operating system and all other VMs.

🟠

Likely Case

Privilege escalation from guest user to hypervisor-level access, enabling installation of persistent malware, data theft from other VMs, and lateral movement within the virtual environment.

🟢

If Mitigated

Limited to guest VM compromise only, with hypervisor isolation preventing host system access if proper security controls are implemented.

🌐 Internet-Facing: LOW - Requires local access to guest VM; not directly exploitable over internet.

🏢 Internal Only: HIGH - Significant risk in environments where users run Parallels Desktop with untrusted guest VMs or where guest VMs might be compromised through other means.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local code execution on guest VM first. XML injection technique is well-understood but specific Toolgate implementation details may require research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.1.1 or later

Vendor Advisory: https://kb.parallels.com/125013

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Help → Check for Updates. 3. Install update to version 18.1.1 or newer. 4. Restart all running VMs and the Parallels Desktop application.

🔧 Temporary Workarounds

Disable Toolgate component

all

Remove or disable the vulnerable Toolgate feature that handles XML processing

Not available - requires configuration changes in Parallels Desktop settings

Restrict guest VM privileges

all

Configure guest VMs with minimal privileges and disable unnecessary Parallels Tools components

🧯 If You Can't Patch

Isolate Parallels Desktop host from critical networks and systems
Implement strict access controls on guest VMs and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version: In macOS, open Parallels Desktop → About Parallels Desktop. If version is below 18.1.1, system is vulnerable.

Check Version:

On macOS host: /usr/libexec/PlistBuddy -c 'Print :CFBundleShortVersionString' '/Applications/Parallels Desktop.app/Contents/Info.plist'

Verify Fix Applied:

Confirm version is 18.1.1 or newer in About Parallels Desktop dialog.

📡 Detection & Monitoring

Log Indicators:

Unusual Toolgate component activity
XML parsing errors in Parallels logs
Privilege escalation attempts from guest VMs

Network Indicators:

Unexpected hypervisor-level network activity from guest VM contexts

SIEM Query:

source="parallels*" AND (event_type="privilege_escalation" OR message="*toolgate*" OR message="*xml*" AND severity=HIGH)

📊 Metadata

CVE ID: CVE-2023-27328

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-91

Published: May 3, 2024

Last Updated: August 6, 2025

🔗 References

https://kb.parallels.com/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-220/ Third Party Advisory
https://kb.parallels.com/125013 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-220/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27328, you might also want to check these: