Local Privilege Escalation in Parallels Access 6.5.4 by Parallels
CVE-2022-34899

7HIGH

Key Information:

Vendor: Parallels
Status: Access
Vendor: CVE Published:; 18 July 2022

What is CVE-2022-34899?

A vulnerability in Parallels Access 6.5.4 allows local attackers to escalate privileges. An attacker who can execute low-privileged code on the system can exploit the flaw in the Parallels service by creating a symbolic link. This manipulative action could enable the execution of arbitrary code within the root context, posing significant security risks. Immediate attention is recommended to mitigate potential exploits.

Affected Version(s)

Access 6.5.4 (39316)

References

https://www.zerodayinitiative.com/advisories/ZDI-22-947/

x_refsource_MISC

https://kb.parallels.com/en/129010

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 18, 2022
Vulnerability Reserved
Jul 1, 2022

Credit

Reno Robert of Trend Micro Zero Day Initiative