Share
## https://sploitus.com/exploit?id=0163FCEC-FFFB-51A4-A2C9-2BCFD02EB8AF
# CVE-2026-54424



Exploiting Parsec for Windows versions < 150-104a to gain:



* Remote code execution as SYSTEM
* Arbitrary file read as SYSTEM
* NTLM hash capture for SYSTEM



The exploits stem from the same vulnerability, but the actual paths diverge.



Technical writeup: https://www.tomadimitrie.dev/blog/CVE-2026-54424

Advisory: https://support.parsec.app/hc/en-us/articles/50612943726612-CVE-2026-54424

NIST: https://nvd.nist.gov/vuln/detail/CVE-2026-54424



Note: The RCE exploit is pretty flaky, but the others work perfectly 100% of the time. The RCE exploits a very tight race condition and tries to extend the race window using big files. So, on modern and performant systems the files might need to be really big. For testing purposes try a VM with 1 core and 1 GB RAM.