CVE-2019-3999

HIGH

Druva Insync Client - OS Command Injection

Title source: rule

Description

Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Chris Lyne · textlocalwindows

https://www.exploit-db.com/exploits/48400

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://www.tenable.com/security/research/tra-2020-12

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157493/Druva-inSync-Windows-Client-6.5.2-Privilege-Escalation.html

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157680/Druva-inSync-inSyncCPHwnet64.exe-RPC-Type-5-Privilege-Escalation.html

Scores

CVSS v3 7.8

EPSS 0.1656

EPSS Percentile 94.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

druva/insync_client 6.5.0

Published Feb 25, 2020

Tracked Since Feb 18, 2026