Advisory Details

February 4th, 2025

Parallels Desktop Technical Data Reporter Link Following Local Privilege Escalation Vulnerability

CVE ID	CVE-2025-0413
CVSS SCORE	7.8, AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AFFECTED VENDORS	Parallels
AFFECTED PRODUCTS	Desktop
VULNERABILITY DETAILS	This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Technical Data Reporter component. By creating a symbolic link, an attacker can abuse the service to change the permissions of arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.
ADDITIONAL DETAILS	Parallels has issued an update to correct this vulnerability. More details can be found at: https://kb.parallels.com/130212
DISCLOSURE TIMELINE	2024-09-19 - Vulnerability reported to vendor 2025-02-04 - Coordinated public release of advisory 2025-02-04 - Advisory Updated
CREDIT	kn32

BACK TO ADVISORIES