Cyber Resilience

CVE-2025-0413

High

Published: 05 February 2025

Published
05 February 2025
Modified
15 August 2025
KEV Added
Patch
CVSS Score v3 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 34.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0413 is a high-severity Link Following (CWE-59) vulnerability in Parallels Parallels. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Parallels Desktop Technical Data Reporter Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host…

more

system in order to exploit this vulnerability. The specific flaw exists within the Technical Data Reporter component. By creating a symbolic link, an attacker can abuse the service to change the permissions of arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-25014.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

parallels
remote application server
≤ 19.4.3.2-25228
parallels
parallels
19.0-23304 — 19.4.3-25221 · 20.0-25389 — 20.2-25889

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References