Skip to main content

CVE-2026-54424

CVE-2026-54424

Updated

Parsec Security Advisory 

 

Date Reported 

4/20/2026

Affected Packages 

Parsec for Windows versions < 150-104a

Patched Version

Parsec for Windows version 150-104a

Severity

High

Security database references

CVE-2026-54424

 

Summary 

An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege by an authenticated user.

Vulnerability Details

A security researcher reported a vulnerability impacting Parsec for Windows that leverages an API call in the Parsec service to modify the working directory. Once the working directory is modified, the service can be manipulated into performing actions under the context of the service running as SYSTEM.

Exploit Conditions

To successfully perform these actions, an attacker must meet the following conditions:

  • Be connected and authenticated on the target system.
  • Parsec must be installed using the "Per User" option (selected during initial installation).

Note: Installations utilizing the "Shared User" option are unaffected by this vulnerability.

Remediation & How to Update

To ensure your system is protected, apply the patch using one of the following methods:

  • Application Restart: Completely quit and relaunch the Parsec application. You may need to repeat this a few times to trigger the background update.
  • Manual Installer: Download and run the Parsec Executable Updater. This will directly update the affected files within your Parsec directory.

To confirm you are protected, open Parsec, navigate to the Settings tab, and check the listed version numbers:

  • Service Version: Must be v13 or higher.
  • Loader Version: Must be v17 or higher.

Timeline 

  • Notified of vulnerability by researcher on Apr 20, 2026.
  • Requested additional information for reproduction from the researcher on May 1, 2026.
  • Provided a QA build with fix to the researcher for additional testing on Jun 1, 2026.
  • Gradually released fixed versions between Jun 4, 2026 and Jun 22, 2026.
  • Full release automatically applied to vulnerable systems between Jun 23, 2026 and Jun 24, 2026.
  • Released this security advisory on Jun 25, 2026.

References 

https://www.tomadimitrie.dev/blog/HjtcK4ztHD

Powered by Zendesk