cbcvebase.
CVE-2019-3999
published 2020-02-25

CVE-2019-3999: Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute…

PriorityP258high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
8.57%
94.4th percentile
Improper neutralization of special elements used in an OS command in Druva inSync Windows Client 6.5.0 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
druvainsync_client

Detection & IOCsextracted from sources · hover to see the quote

port6064
processinSyncCPHwnet64.exe
otherinSync PHC RPCW[v0002]
commandfunc_num = "\x05\x00\x00\x00"
ip127.0.0.1
urlhttps://downloads.druva.com/downloads/inSync/Windows/6.5.2/inSync6.5.2r99097.msi
pathC:\Program Files (x86)\Druva\inSync\electron\inSyncClient\inSync.exe
filenameinSyncCPH.log
bytes
69 6e 53 79 6e 63 20 50 48 43 20 52 50 43 57 5b 76 30 30 30 32 5d 05 00 00 00
  • Monitor TCP port 6064 on localhost for connections sending RPC type 5 messages (byte sequence 0x05 0x00 0x00 0x00) prefixed with the magic header 'inSync PHC RPCW[v0002]'. Any such traffic from non-Druva processes is suspicious.
  • Alert on inSyncCPHwnet64.exe spawning unexpected child processes (e.g. cmd.exe, net.exe, powershell.exe) as SYSTEM, which would indicate successful exploitation via CreateProcessW.
  • Search inSyncCPH.log for entries containing 'Got a request to create a process for sysstate' with unexpected command strings to identify exploitation attempts.
  • Flag inSync versions 6.6.3 and prior (specifically confirmed on 6.5.2r99097 and 6.6.3r102156) as vulnerable targets for prioritized patching and detection coverage.
  • ·The exploit connects to 127.0.0.1:6064, meaning the attack surface is local only — network-based detection must focus on the loopback interface.
  • ·The RPC protocol requires sending the hello, func_num, command_length, and command_line as separate sequential TCP sends — a single-packet signature will not capture the full exploit handshake.
  • ·The command payload is encoded as wide (UTF-16LE) characters before transmission; detection signatures must account for null-byte padding between each character.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.