CVE-2020-5752: Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation

Exploitation Summary

EIP tracks 5 public exploits for CVE-2020-5752. PoCs published by Matteo Malvica, 1F98D, yevh, including Metasploit module exploits/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc.

AI-analyzed exploit summary This exploit leverages a path traversal vulnerability in Druva inSync Windows Client 6.6.3 to achieve local privilege escalation. It bypasses path validation via directory traversal sequences and executes arbitrary commands as NT AUTHORITY\SYSTEM via the inSyncCPHwnet64 RPC service.

Description

Relative path traversal in Druva inSync Windows Client 6.6.3 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.

Exploits (5)

exploitdb WORKING POC VERIFIED

by Matteo Malvica · textlocalwindows

https://www.exploit-db.com/exploits/48505

View Code ZIP pw:eip

This exploit leverages a path traversal vulnerability in Druva inSync Windows Client 6.6.3 to achieve local privilege escalation. It bypasses path validation via directory traversal sequences and executes arbitrary commands as NT AUTHORITY\SYSTEM via the inSyncCPHwnet64 RPC service.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: Druva inSync Windows Client 6.6.3

No auth needed

Prerequisites: Local access to the target system · Druva inSync Windows Client 6.6.3 installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by 1F98D · powershelllocalwindows

https://www.exploit-db.com/exploits/49211

View Code ZIP pw:eip

This PowerShell script exploits a local privilege escalation vulnerability in Druva inSync Windows Client 6.6.3 by sending a crafted RPC request to inject a command that adds a new user. The exploit leverages a path traversal technique to execute arbitrary commands via the inSync service.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: Druva inSync Windows Client 6.6.3

No auth needed

Prerequisites: Druva inSync Windows Client 6.6.3 installed · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by yevh · poc

https://github.com/yevh/CVE-2020-5752-Druva-inSync-Windows-Client-6.6.3---Local-Privilege-Escalation-PowerShell-

View Code ZIP pw:eip

This PowerShell script exploits a local privilege escalation vulnerability in Druva inSync Windows Client 6.6.3 by leveraging a command injection flaw in an exposed RPC service. It sends a crafted RPC request to execute a reverse shell payload with elevated privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Druva inSync Windows Client 6.6.3

No auth needed

Prerequisites: Druva inSync Windows Client 6.6.3 installed · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by x0rbeexd · poc

https://github.com/x0rbeexd/CVE-2020-5752

View Code ZIP pw:eip

This repository contains a functional C-based exploit for CVE-2020-5752, targeting the Druva inSync Windows Client (v6.6.3 and below). The exploit leverages an RPC service on port 6064 vulnerable to command injection via path traversal, allowing local privilege escalation to NT AUTHORITY\SYSTEM.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Druva inSync Windows Client (v6.6.3 and below)

No auth needed

Prerequisites: Local access to the target machine · Druva inSync Windows Client (v6.6.3 or below) installed · Network connectivity to an attacker-controlled machine for reverse shell

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Chris Lyne, Matteo Malvica, bcoles · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits a privilege escalation vulnerability in Druva inSync (CVE-2020-5752) by sending a maliciously crafted RPC type 5 message to the inSyncCPHwnet64.exe service on TCP port 6064, allowing arbitrary command execution as SYSTEM.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Druva inSync versions 6.6.3 and prior

No auth needed

Prerequisites: Access to a vulnerable Druva inSync installation · Network access to TCP port 6064 on the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Release Notes, Third Party Advisory x_refsource_misc

https://www.tenable.com/security/research/tra-2020-34

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157802/Druva-inSync-Windows-Client-6.6.3-Local-Privilege-Escalation.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/160404/Druva-inSync-Windows-Client-6.6.3-Privilege-Escalation.html

CVE-2020-5752

Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation

Exploitation Summary

Description

Exploits (5)

References (3)

Scores

Details