CVE-2024-36486 is a high-severity privilege escalation vulnerability affecting Parallels Desktop for Mac version 20.1.1 (55740). The vulnerability arises in the virtual machine archive restoration functionality, specifically within the prl_vmarchiver tool. When a user restores an archived virtual machine, this tool decompresses the archive and writes the extracted files back to their original locations using root privileges. The core issue is that the tool does not properly handle hard links during this restoration process. An attacker with limited privileges can exploit this by crafting a malicious archive containing hard links that point to arbitrary files on the system. When the archive is restored, the prl_vmarchiver tool follows these hard links and overwrites files outside the intended extraction directory, potentially modifying critical system files or binaries. This can lead to privilege escalation, allowing the attacker to gain root-level access on the host macOS system. The vulnerability is classified under CWE-62 (Improper Restriction of Hardcoded Paths) and has a CVSS v3.1 base score of 7.8, reflecting its high impact on confidentiality, integrity, and availability. Exploitation requires local access with limited privileges but does not require user interaction beyond initiating the restoration process. No known exploits are currently reported in the wild, but the vulnerability's nature and impact make it a significant risk for affected users.

For European organizations using Parallels Desktop for Mac, especially version 20.1.1, this vulnerability poses a serious risk. The ability to escalate privileges from a limited user to root can compromise the confidentiality, integrity, and availability of sensitive data and systems. Organizations relying on Parallels for virtualization and development environments may face unauthorized access to critical infrastructure, data leakage, or disruption of services. This is particularly concerning for sectors with strict data protection regulations such as finance, healthcare, and government agencies in Europe. Additionally, the vulnerability could be leveraged as a foothold for further lateral movement within corporate networks, increasing the risk of broader compromise. Since Parallels Desktop is widely used in professional and enterprise environments on macOS, the impact extends to organizations that use Mac systems for development, testing, or production workloads.

1. Immediate upgrade: Organizations should promptly update Parallels Desktop for Mac to a patched version once available from the vendor. Since no patch links are currently provided, monitoring Parallels' official channels for updates is critical. 2. Restrict archive restoration: Until patched, restrict the use of the virtual machine archive restoration feature to trusted administrators only. 3. Validate archives: Implement strict validation and scanning of virtual machine archives before restoration to detect malicious hard links or tampering. 4. Use least privilege: Limit user privileges on macOS hosts to minimize the number of users who can perform archive restoration. 5. Monitor system integrity: Deploy file integrity monitoring tools to detect unauthorized changes to critical system files that could indicate exploitation. 6. Employ endpoint protection: Use advanced endpoint detection and response (EDR) solutions capable of detecting suspicious file operations and privilege escalation attempts on macOS. 7. Educate users: Train users on the risks of restoring untrusted virtual machine archives and enforce policies against using unverified sources.