CVE-2026-54424
Received Received - Intake

Incorrect Use of Privileged APIs in Unity Parsec on Windows

Vulnerability report for CVE-2026-54424, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: MITRE

Description

An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege. This issue affects Parsec through v2026-05-04.0. The patched version isΒ Parsec for Windows version 150-104a. A user can generate a situation where there is an instance of parsecd.exe running as NT AUTHORITY\SYSTEM with a user-controlled value of the AppData environment variable.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
unity_technologies parsec to 150-104a (exc)
unity_technologies parsec 150-104a

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-648 The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54424 is a security vulnerability in Parsec for Windows versions prior to 150-104a caused by incorrect use of privileged APIs. It allows an authenticated user to exploit an API call in the Parsec service to modify the working directory and spawn instances of parsecd.exe running with SYSTEM privileges using a user-controlled AppData environment variable.

This vulnerability can be exploited by an attacker connected and authenticated on the target system who installed Parsec using the "Per User" option. The exploit involves bypassing security checks and injecting code or manipulating process tokens to elevate privileges.

More advanced exploit chains include remote code execution via process injection, arbitrary file read by redirecting folders using opportunistic locks and junctions, and capturing NetNTLMv2 hashes by setting the APPDATA path to a rogue SMB server.

Compliance Impact

The provided information does not explicitly address how CVE-2026-54424 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to an elevation of privilege where an attacker gains SYSTEM-level access on the affected Windows host running Parsec. With SYSTEM privileges, an attacker can execute arbitrary code, read any files on the system, and capture sensitive authentication hashes.

  • Remote Code Execution (RCE) by injecting malicious code into parsecd.exe running as SYSTEM.
  • Arbitrary file read with SYSTEM privileges by redirecting system folders.
  • Capture of NetNTLMv2 hashes of the SYSTEM account, which can be cracked or relayed for further attacks.

These impacts can allow attackers to fully compromise the affected system, potentially leading to data theft, system manipulation, or further network compromise.

Detection Guidance

This vulnerability can be detected by checking if the Parsec service is running a vulnerable version prior to 150-104a on Windows hosts. Specifically, you should verify if parsecd.exe is running under the NT AUTHORITY\SYSTEM account with a user-controlled AppData environment variable.

To detect the vulnerability on your system, you can check the Parsec service version and loader version in the Parsec settings to ensure they are at least version 13 and 17 respectively.

Additionally, monitoring for parsecd.exe processes running as SYSTEM and inspecting their environment variables for suspicious or user-controlled AppData paths can help identify exploitation attempts.

While no specific commands are provided in the resources, typical commands to check running processes and their environment variables on Windows include:

  • Using PowerShell to list parsecd.exe processes running as SYSTEM: Get-WmiObject Win32_Process -Filter "Name='parsecd.exe'" | Select-Object ProcessId, CommandLine, @{Name='User';Expression={(Get-WmiObject Win32_Process -Filter "ProcessId=$($_.ProcessId)").GetOwner().User}}
  • Using Sysinternals Process Explorer to inspect the environment variables of parsecd.exe processes.
  • Checking the Parsec application settings for version information to confirm if the patch has been applied.
Mitigation Strategies

The immediate mitigation step is to update Parsec for Windows to version 150-104a or later, which contains the patch for this vulnerability.

Users can update their systems by either restarting the Parsec application multiple times to trigger a background update or by manually downloading and running the Parsec Executable Updater.

After updating, verify that the Parsec service version is at least v13 and the loader version is at least v17 in the Parsec settings.

Additionally, avoid installing Parsec using the "Per User" option during setup, as systems installed with the "Shared User" option are not affected by this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54424. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart