Remote desktop software Parsec has resolved a high-severity local privilege escalation vulnerability that allowed authenticated attackers to hijack the SYSTEM-level Parsec service on Windows hosts.
Tracked as CVE-2026-54424, the flaw affected all Parsec for Windows installations prior to version 150-104a and stemmed from improper handling of privileged API calls within the Parsec service.
Parsec, widely used for low-latency remote access and game streaming, disclosed the issue in a security advisory published June 25, 2026, following a coordinated disclosure timeline spanning more than two months.
Parsec Windows Vulnerability
The vulnerability falls under the “Incorrect Use of Privileged APIs” category, a class of bugs that occurs when a service running with elevated permissions fails to properly validate or restrict actions it performs on behalf of a lower-privileged user.
According to Parsec’s advisory, a security researcher identified an API call exposed by the Parsec Windows service that could be leveraged to modify the service’s working directory.
Because the Parsec service runs as SYSTEM, the highest privilege level on Windows, an attacker who could redirect that working directory would gain the ability to influence which files or executables the service interacts with.
In practical terms, this meant that a local, authenticated user with no special permissions could manipulate the service to execute actions in a SYSTEM security context, effectively escalating from a standard user account to full system-level control.
Parsec clarified that exploitation requires two specific conditions to be met simultaneously:
- The attacker must already be authenticated and logged into the target Windows system (this is a local privilege escalation, not a remote, unauthenticated attack).
- Parsec must have been installed using the “Per User” installation option, which is offered during initial setup.
Notably, systems where Parsec was installed via the “Shared User” option are not affected by this vulnerability. This distinction matters significantly for IT administrators auditing fleet-wide deployments, since exposure hinges entirely on the installation mode selected, a detail that is easy to overlook in bulk enterprise rollouts.
The staggered rollout rather than an immediate, simultaneous patch suggests Parsec prioritized stability testing across its user base before full deployment, a reasonable approach given the service’s role in real-time streaming performance.
Parsec has patched the vulnerability in version 150-104a and above. Users can apply the fix through either of two methods:
- Restart the application: Fully quit and relaunch Parsec, potentially multiple times, to trigger the background auto-update mechanism.
- Manual update: Download and run the official Parsec Executable Updater directly from Parsec’s build servers to force an update of affected files.
To verify protection, users should open Parsec, navigate to Settings, and confirm:
- Service Version is v13 or higher.
- Loader Version is v17 or higher.
Given that the June 23–24 automatic rollout should have reached most active systems, any installation still reporting older version numbers likely indicates the update process stalled, or the application hasn’t been relaunched recently.
While CVE-2026-54424 requires local authenticated access, limiting its use as a standalone remote attack vector, it remains a meaningful risk in shared, multi-user, or enterprise environments where Parsec is deployed for remote workstation access or cloud gaming infrastructure.
An attacker who has already gained a foothold through phishing, stolen credentials, or another initial-access vector could use this flaw as a stepping stone to full SYSTEM control, enabling persistence, credential harvesting, or lateral movement.
Organizations running Parsec in “Per User” mode across shared or multi-tenant Windows systems should treat this as a priority patch, verify version numbers across their fleet, and audit installation configurations going forward.