A significant security vulnerability (CVE-2024-34331) has been identified in Parallels Desktop for Mac, potentially allowing attackers to gain administrator privileges across all current versions of the popular virtualization software. Security researcher Mickey Jin has disclosed technical details of two distinct exploit methods that circumvent the platform’s security measures.
Technical Analysis of the Vulnerability
The core issue stems from flaws in Parallels Desktop’s code signing verification mechanism. Despite a security patch released in September 2024, researchers have demonstrated that the implemented fixes can be bypassed through two different attack vectors, leaving systems vulnerable to privilege escalation attacks.
TOCTOU Exploit Method
The first exploitation technique leverages a Time-of-Check to Time-of-Use (TOCTOU) vulnerability within the createinstallmedia utility. An attacker can exploit the time gap between signature verification and actual file execution to substitute legitimate files with malicious code, ultimately achieving root-level access to the system.
do_repack_manual Function Vulnerability
The second exploit targets weaknesses in the do_repack_manual function, enabling arbitrary file overwrites with root privileges. Through careful manipulation of symbolic links, attackers can redirect write operations to replace critical system components, resulting in elevated privileges. This vulnerability became particularly relevant following changes implemented in version 19.4.1.
Impact Assessment and Version Specifics
The vulnerability affects all Parallels Desktop versions from 19.4.0 through the current 20.2.1 (55876). The first exploit method maintains effectiveness across all versions, while the second exploit emerged following architectural changes in version 19.4.1. Most concerning is that version 20.2.1’s rollback of certain security measures has left all current versions susceptible to at least one attack vector.
Disclosure Timeline and Vendor Response
Initial vulnerability disclosure to Parallels occurred in June 2024, with multiple follow-up communications, including the most recent on February 19, 2025. Despite these efforts, the vendor has not released security patches to address these vulnerabilities, prompting the researcher’s public disclosure to alert users to potential risks.
Given the severity of these vulnerabilities and the current lack of patches, organizations and individuals using Parallels Desktop should implement enhanced system monitoring and restrict access to macOS installation features. Security professionals recommend implementing additional access controls and maintaining vigilant system oversight until official patches become available. Users should also consider implementing application control measures and monitoring for unusual privilege escalation attempts in their environments.
