Impact
The vulnerability is an Incorrect Use of Privileged APIs in Unity Parsec's Windows implementation, discovered in version v2026-05-04.0 and earlier. It allows a local user to craft a parsecd.exe instance that runs with the SYSTEM account by manipulating the AppData environment variable. This flaw leads to an Elevation of Privilege, granting the attacker system‑level access on the affected host.
Affected Systems
Affected are all Windows clients of Unity Parsec up to version 150-104a, including all builds released before the patched release. Any installations using parsecd.exe on a Windows host that have not been upgraded to at least 150-104a are susceptible.
Risk and Exploitability
The CVSS score of 8.4 marks this as a high‑severity issue, but its EPSS score is not available and it is not listed in CISA’s KEV catalog. Exploitation requires a local attacker to influence the AppData environment variable; therefore the attack vector is local user privilege escalation. A successful exploitation would grant SYSTEM privileges, allowing the attacker to execute arbitrary code, install malware, modify system configuration, and bypass all Windows security controls.
OpenCVE Enrichment