CRITICAL🇵🇱 Wersja polska

CVE-2023-45894

CVSS 10.0v3.1pub. 2023-12-14upd. 2024-11-21

The Remote Application Server in Parallels RAS before 19.2.23975 does not segment virtualized applications from the server, which allows a remote attacker to achieve remote code execution via standard kiosk breakout techniques.

🤖 AI Analysis
How it works

The error consists of a lack of proper segmentation (isolation) of virtualized applications from the host server environment. An attacker without any authentication, acting remotely over the network, can apply techniques known as kiosk breakout — escape methods known from restricted kiosk/terminal environments — to break out of the virtualized application context and gain access to the underlying system. As a result, arbitrary commands can be executed on the server (RCE).

Impact

An attacker can take full control of the server, gaining the ability to read and modify data, install malicious software, and further spread within the organization's infrastructure (lateral movement).

Mitigation & patch

Parallels Remote Application Server must be immediately updated to version 19.2.23975 or later. Details are available in the vendor's references and in the researchers' report at the address indicated in the CVE references section.

Who is affected

Parallels Remote Application Server (RAS) in all versions prior to 19.2.23975

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Parallels Remote Application Server

    APP
    Parallels
    < 19.2.23975
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2020-15860CRITICAL9.9ten sam produkt

Parallels Remote Application Server (RAS) 17.1.1 has a Business Logic Error causing remote code execution. It ...

CVE-2025-0413HIGH7.8ten sam produkt

Parallels Desktop Technical Data Reporter Link Following Local Privilege Escalation Vulnerability. This vulne...

CVE-2022-40870HIGH8.1ten sam produkt

The Web Client of Parallels Remote Application Server v18.0 is vulnerable to Host Header Injection attacks. Th...

CVE-2020-8968HIGH7.1ten sam produkt

Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clea...

CVE-2017-9447HIGH7.5ten sam produkt

In the web interface of Parallels Remote Application Server (RAS) 15.5 Build 16140, a vulnerability exists due...