Unpatched Zero-Day in Parallels Desktop Grants Root Access on macOS

The latest release of Parallels Desktop for macOS contains an unpatched zero-day vulnerability that allows attackers to gain root access, with a proof-of-concept exploit already available.

  Vulnerability Alerts   Feb 25, 2025  Add to Reading List
Unpatched Zero-Day in Parallels Desktop Grants Root Access on macOS

The latest release of Parallels Desktop for macOS contains an unpatched zero-day vulnerability that allows attackers to gain root access, with a proof-of-concept exploit already available.

This security flaw, which has yet to receive a CVE designation or CVSS score, is a bypass for a previous patch and enables unauthorized privilege escalation. The issue stems from a script used by Parallels Desktop to modify macOS installer applications for compatibility with its virtualization software.

Parallels Desktop is widely used worldwide, with approximately seven million users relying on it to run Windows, Linux, and other operating systems on their Macs.

Patch Bypass Leaves Systems Vulnerable

This zero-day vulnerability effectively circumvents a fix issued for CVE-2024-34331—a critical privilege escalation flaw (CVSS 9.8) that affected Intel-based Macs running Parallels Desktop. Initially discovered by Ukrainian researcher Mykola Grymalyuk in version 19.2.1, Parallels attempted to fix the issue with version 19.3.0, but the vulnerability persisted. A final fix arrived in version 19.3.1 in late April 2024, with the CVE officially recorded in May and publicly disclosed on May 30.

However, security researcher Mickey Jin soon identified a way to bypass this patch and reported it first to Trend Micro's Zero Day Initiative (ZDI) and later to Parallels. In a blog post, Jin explained that the issue involves a flawed verification process for an Apple macOS command-line utility. He identified two exploitation methods:

  1. A TOCTOU (Time-of-Check to Time-of-Use) attack, where an attacker manipulates a resource between its verification and execution.
  2. Injecting a malicious dynamic library into the Apple binary, bypassing the verification altogether.

TOCTOU vulnerabilities arise when there is a time gap between checking a condition and using a resource, allowing an attacker to alter the resource during that period.

Delayed Response from Parallels

Jin initially reported the vulnerability to Parallels' security team in July 2024, but after receiving no response for seven months, he publicly disclosed his findings on February 20, 2025.

"Since Parallels is ignoring my reports, I have no choice but to disclose the zero-day exploit now," Jin wrote.

Parallels' parent company, Alludo, did not respond to media inquiries but later reached out to Jin, apologizing for the delayed response and requesting that he remove the disclosure until a fix was available. In an email shared by Jin, Alludo acknowledged communication failures and promised an internal review to prevent similar oversights in the future.