A significant unpatched security vulnerability (CVE-2024-34331) has been identified in Parallels Desktop for Mac, potentially allowing attackers to gain administrator privileges across all current versions of the popular virtualization software. Security researcher Mickey Jin has disclosed technical details of two distinct exploit methods that bypass the platform’s code signing verification — and no official patch has been released as of the disclosure date. More details are available on the Parallels official website.
Technical Analysis of the Vulnerability
The core issue stems from flaws in Parallels Desktop’s code signing verification mechanism. Despite a security patch released in September 2024, researchers demonstrated that the implemented fixes can be bypassed through two different attack vectors, leaving systems vulnerable to local privilege escalation attacks.
TOCTOU Exploit Method
The first exploitation technique leverages a Time-of-Check to Time-of-Use (TOCTOU) vulnerability within the createinstallmedia utility. An attacker can exploit the time gap between signature verification and actual file execution to substitute legitimate files with malicious code, ultimately achieving root-level access to the system. This method works across all affected Parallels Desktop versions.
do_repack_manual Function Vulnerability
The second exploit targets weaknesses in the do_repack_manual function, enabling arbitrary file overwrites with root privileges. Through careful manipulation of symbolic links, attackers can redirect write operations to replace critical system components, resulting in elevated privileges. This vulnerability became exploitable following architectural changes introduced in version 19.4.1.
Impact Assessment and Version Specifics
The vulnerability affects all Parallels Desktop versions from 19.4.0 through version 20.2.1 (build 55876). The first exploit method remains effective across all versions, while the second emerged after version 19.4.1 changes. Version 20.2.1’s rollback of certain security measures has left all current versions susceptible to at least one attack vector.
Mac Users Running Parallels Desktop Versions Affected by Privilege Escalation
Any macOS user running Parallels Desktop versions 19.4.0 through 20.2.1 is at risk. The vulnerability requires local access to the machine, making it particularly relevant in shared workstation environments, university labs, corporate Mac fleets, and situations where malicious applications or scripts can run under a standard user account. Organizations that rely on Parallels Desktop for running Windows VMs on Mac should treat this as a high-severity local privilege escalation risk.
What to Do While Awaiting a Patch
- Monitor the Parallels security release page and apply any new patch immediately when released.
- Restrict access to the
createinstallmediautility and the Parallels installation tools via macOS application permissions. - Enable macOS System Integrity Protection (SIP) and ensure it has not been disabled — SIP limits some of the exploit preconditions.
- Audit privilege escalation attempts using macOS Unified Logging: search for unusual
launchdactivity or unexpected root-owned process spawns tied to Parallels processes. - Consider temporarily suspending Parallels Desktop use in shared environments or on machines handling sensitive data until a patch is available.
Disclosure Timeline and Vendor Response
Initial vulnerability disclosure to Parallels occurred in June 2024, with multiple follow-up communications including the most recent on February 19, 2025. Despite these efforts, the vendor had not released security patches as of the public disclosure date, prompting Mickey Jin’s full public disclosure to notify users of the ongoing risk.
