Login Sign Up

CVE-2024-36486

7.8 HIGH

📋 TL;DR

This CVE describes a privilege escalation vulnerability in Parallels Desktop for Mac where the prl_vmarchiver tool writes decompressed archive contents with root privileges. Attackers can exploit this using hard links to overwrite arbitrary files, potentially gaining root access. Only users running Parallels Desktop for Mac version 20.1.1 (55740) are affected.

💻 Affected Systems

Products:
  • Parallels Desktop for Mac
Versions: 20.1.1 (55740)
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where Parallels Desktop is installed and the prl_vmarchiver tool is accessible.

📦 What is this software?

Parallels Desktop by Parallels

View all CVEs affecting Parallels Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges achieved through arbitrary file write leading to complete control of the macOS system.

🟠

Likely Case

Local privilege escalation allowing an attacker with user-level access to gain root privileges on the affected system.

🟢

If Mitigated

No impact if the vulnerable version is not installed or if proper access controls prevent local user exploitation.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: HIGH - Any user with local access to a vulnerable system could potentially exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and knowledge of hard link techniques to manipulate file writes during VM archive restoration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version (beyond 20.1.1)

Vendor Advisory: https://www.parallels.com/products/desktop/security/

Restart Required: Yes

Instructions:

1. Open Parallels Desktop. 2. Go to Parallels Desktop menu > Check for Updates. 3. Install available updates. 4. Restart your Mac if prompted.

🔧 Temporary Workarounds

Disable Parallels Desktop VM archive functionality

all

Prevent use of the vulnerable prl_vmarchiver tool by restricting VM archive operations

Restrict prl_vmarchiver permissions

linux

Change permissions on the prl_vmarchiver binary to prevent execution

sudo chmod 000 /Applications/Parallels\ Desktop.app/Contents/MacOS/prl_vmarchiver

🧯 If You Can't Patch

  • Restrict local user access to systems running vulnerable Parallels Desktop
  • Implement strict file integrity monitoring for critical system files

🔍 How to Verify

Check if Vulnerable:

Check Parallels Desktop version in About Parallels Desktop menu. If version is 20.1.1 (55740), system is vulnerable.

Check Version:

grep -i version /Applications/Parallels\ Desktop.app/Contents/Info.plist

Verify Fix Applied:

Verify Parallels Desktop version is updated beyond 20.1.1 (55740) and check that prl_vmarchiver tool no longer writes with root privileges during archive restoration.

📡 Detection & Monitoring

Log Indicators:

  • Unusual prl_vmarchiver process execution
  • Unexpected file modifications in system directories during VM operations

Network Indicators:

  • None - this is a local privilege escalation

SIEM Query:

process_name="prl_vmarchiver" AND user="root" AND file_write_operation=*

📊 Metadata

CVE ID: CVE-2024-36486
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-62
EPSS Score: 0.06% exploit probability (18.1th percentile)
Published: June 3, 2025
Last Updated: July 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36486, you might also want to check these:

CVE-2024-54189 7.8

A privilege escalation vulnerability in Parallels Desktop for Mac allows attackers to write to arbit...

Same vulnerability type (CWE-62)