What is the new vulnerability reported in Parallels Desktop?

A critical root privilege escalation vulnerability has been discovered that bypasses the previous patch for CVE-2024-34331 (CVSS score 9.8). The vulnerability was discovered by security researcher Mickey Jin (@patch1t), who released details and proof-of-concept exploits after Parallels failed to address the issue for over seven months.

What are the technical details of the vulnerability?

The vulnerability exists in the repack_osx_install_app.sh script and has two major security bypasses: 1) A TOCTOU vulnerability allowing attackers to swap legitimate tools with malicious versions after signature verification but before root execution, and 2) A signature verification bypass where the 'anchor apple' verification requirement is insufficiently strict, enabling malicious dynamic library injection into Apple-signed binaries.

What proof-of-concept exploits were developed?

Two proof-of-concept exploits were developed: 1) An exploit targeting the do_repack_createinstallmedia function for arbitrary root command execution, and 2) An exploit for Parallels 19.4.1 abusing do_repack_manual functionality to control repackaging paths, manipulate symbolic links, and insert malicious code into the 7z extraction process.

What is the timeline of the vulnerability disclosure?

The flaw was initially reported to Zero Day Initiative on May 31, 2024, followed by a new repack command line issue reported directly to Parallels on July 22, 2024. After initial acknowledgment, Parallels ceased communication despite follow-up attempts.

What is the current status and recommended mitigation?

The vulnerability remains unpatched and potentially affects all current versions of Parallels Desktop. No official CVE or CVSS score has been assigned yet due to its 0-day nature. Users are advised to exercise caution when using Parallels Desktop and handling macOS installer applications.

Advisory

Critical flaw reported Parallels Desktop, PoC released

published: Feb. 24, 2025

Take action: You can't do much to fix your Parallels Desktop since there is no patch. Instead, work on prevention - limit access to your computer only to yourself or to very few very trusted people, and when using Parallels use only trusted installer packages that are downloaded from reputable locations and you have verified the integrity of the file (hash comparison).

Learn More

A critical vulnerability is reported in Parallels Desktop that bypasses the previous patch for CVE-2024-34331 (CVSS score 9.8).

The vulnerability is a root privilege escalation flaw discovered by security researcher Mickey Jin (@patch1t), who released details and proof-of-concept exploits after Parallels failed to address the issue for over seven months despite multiple responsible disclosure attempts.

The vulnerability exists in the repack_osx_install_app.sh script, which is responsible for repackaging macOS installer applications. The script implements a code signature verification mechanism to ensure the createinstallmedia binary is Apple-signed, but two significant security bypasses were identified:

TOCTOU (Time of Check to Time of Use) Vulnerability: Allows attackers to swap the legitimate createinstallmedia tool with a malicious version after signature verification but before root privilege execution
Signature Verification Bypass: The "anchor apple" verification requirement is insufficiently strict, enabling attackers to inject malicious dynamic libraries into Apple-signed binaries

The researcher developed two proof-of-concept exploits demonstrating the vulnerability:

The first exploit targets the do_repack_createinstallmedia function, enabling arbitrary command execution with root privileges by replacing the createinstallmedia binary with a malicious payload.
The second exploit, introduced with Parallels 19.4.1, abuses the do_repack_manual functionality to:
- Control macOS image repackaging destination paths
- Manipulate symbolic links to redirect root-owned folders
- Insert malicious code into the 7z extraction process, resulting in root-privileged execution

The flaw was initially reported to Zero Day Initiative (ZDI) in May 31, 2024, then in July 22, 2024 a new repack command line issue reported directly to Parallels. After initial acknowledgment, Parallels ceased communication despite follow-up attempts

The vulnerability remains unpatched potentially affecting all current versions of Parallels Desktop. No official CVE or CVSS score has been assigned yet due to the 0-day nature of the disclosure.

As this is an active 0-day vulnerability with no available patch, users should exercise caution when using Parallels Desktop, when handling macOS installer applications.

Critical flaw reported Parallels Desktop, PoC released

Read More
Google releases fix for actively exploited Chrome vulnerability
Mozilla Releases Security Updates for Firefox and Thunderbird
WhatsApp vulnerability actively exploited in targeted spyware campaign
Spyware exploited vulnerability in Samsung Galaxy devices through …
Mozilla addresses multiple High-Severity flaws with Firefox 138 …