LiveActive security incident?Get immediate response
CVE Record

CVE-2021-36667: Command injection vulnerability in Druva inSync 6.9.0 for MacOS, allows attackers to execute arbitrary comm...

Command injection vulnerability in Druva inSync 6.9.0 for MacOS, allows attackers to execute arbitrary commands via crafted payload to the local HTTP server due to un-sanitized call to the python os.system library.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This issue lets an attacker make a vulnerable Druva inSync macOS client run operating-system commands through its local HTTP server. That can turn endpoint access into command execution on the Mac. The bundle does not provide CVSS, confirmed exploitation, or full version-scope detail.

Executive priority

Treat this as a high-priority endpoint remediation item where Druva inSync is deployed on Macs. It enables command execution, but current bundle evidence does not prove active exploitation or broad remote reach.

Technical view

CVE-2021-36667 is command injection in Druva inSync 6.9.0 for macOS. The described cause is unsanitized input reaching Python os.system through the local HTTP server. The vendor advisory reference title indicates inSync Client 7.0.1 and before, but the provided bundle does not include remediation text.

Likely exposure

Exposure is most likely on macOS endpoints running affected Druva inSync clients with the local HTTP server active. The provided data does not show internet-scale exposure, CPEs, or complete affected-version metadata.

Exploitation context

No KEV listing or cited source in the bundle confirms active exploitation. Public references include a vendor advisory and an independent write-up, so defenders should assume technical details may be publicly accessible without treating exploitation as proven.

Researcher notes

Key unknowns are CVSS score, precise affected-version range, privilege context, and vendor fix details. The available description supports command injection via a local HTTP server caused by unsanitized os.system usage.

Mitigation direction

  • Check Druva’s advisory for affected versions and vendor-recommended remediation.
  • Inventory macOS endpoints for Druva inSync client versions.
  • Prioritize upgrade or removal of vulnerable clients on managed Macs.
  • Limit local service exposure according to vendor guidance.
  • Monitor Druva support channels for updated remediation details.

Validation and detection

  • Confirm whether Druva inSync is installed on macOS assets.
  • Record installed client versions and compare against vendor advisory scope.
  • Verify whether the local HTTP server component is present or running.
  • Review endpoint telemetry for unusual child processes from Druva components.
  • Document remediation status per endpoint group.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-36667 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.