CVE-2023-37250

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Unity Parsec has a TOCTOU race condition that permits local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. The application intentionally launches DLLs from a user-owned directory but intended to always perform integrity verification of those DLLs. This affects Parsec Loader versions through 8. Parsec Loader 9 is a fixed version.

*Credits: N/A

CVSS Scores

NISTv3.1 7.0

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-06-29 CVE Reserved
2023-07-03 First Exploit
2023-08-20 CVE Published
2023-08-26 EPSS Updated
2024-10-08 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CAPEC

References (4)

URL	Tag	Source
https://support.parsec.app/hc/en-us/articles/18311425588237-CVE-2023-37250	Third Party Advisory
https://unity3d.com	Product
https://www.kb.cert.org/vuls/id/287122	Third Party Advisory

URL	Date	SRC
https://github.com/ewilded/CVE-2023-37250-POC	2023-07-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Unity Search vendor "Unity"		Parsec Search vendor "Unity" for product "Parsec"				< 9.0 Search vendor "Unity" for product "Parsec" and version " < 9.0"		-		Affected