CVE-2021-3187 – This vulnerability allows authenticated, unpriv... (How to Fix)

Q: What is the severity of CVE-2021-3187?

CVE-2021-3187 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated, unprivileged users on macOS systems to elevate their privileges to root during software installation. It affects BeyondTrust Privilege Management for Mac versions before 5.7 on macOS versions before 10.15.5, or Security Update 2020-003 on Mojave and High Sierra.

📋 TL;DR

This vulnerability allows authenticated, unprivileged users on macOS systems to elevate their privileges to root during software installation. It affects BeyondTrust Privilege Management for Mac versions before 5.7 on macOS versions before 10.15.5, or Security Update 2020-003 on Mojave and High Sierra.

💻 Affected Systems

Products:

BeyondTrust Privilege Management for Mac

Versions: Versions before 5.7

Operating Systems: macOS before 10.15.5, macOS Mojave without Security Update 2020-003, macOS High Sierra without Security Update 2020-003

Default Config Vulnerable: ⚠️ Yes

Notes: Later versions of macOS (10.15.5+) are not vulnerable regardless of BeyondTrust version.

📦 What is this software?

Privilege Management For Mac by Beyondtrust

View all CVEs affecting Privilege Management For Mac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains full root access to the macOS system, enabling complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Malicious insider or compromised user account escalates privileges to install malware, access sensitive data, or bypass security controls.

🟢

If Mitigated

Limited impact due to proper access controls, monitoring, and timely patching preventing successful exploitation.

🌐 Internet-Facing: LOW - Exploitation requires authenticated access to the macOS system, not directly internet-exposed.

🏢 Internal Only: HIGH - Significant risk from insider threats or compromised user accounts within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access and occurs during software installation time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7 or later

Vendor Advisory: https://www.beyondtrust.com/trust-center/security-advisories/bt22-06

Restart Required: Yes

Instructions:

1. Update BeyondTrust Privilege Management for Mac to version 5.7 or later. 2. Ensure macOS is updated to 10.15.5+ or has Security Update 2020-003 applied. 3. Restart affected systems.

🔧 Temporary Workarounds

Update macOS

macos

Update macOS to version 10.15.5 or later, which is not vulnerable regardless of BeyondTrust version.

sudo softwareupdate --install --all

Apply Security Update

macos

Apply Security Update 2020-003 on macOS Mojave or High Sierra systems.

sudo softwareupdate --install "Security Update 2020-003"

🧯 If You Can't Patch

Restrict user access to systems running vulnerable versions to trusted personnel only.
Implement strict monitoring of installation activities and temporary directory access.

🔍 How to Verify

Check if Vulnerable:

Check BeyondTrust version with 'sudo /usr/local/bin/bpriv' or similar command, and macOS version with 'sw_vers'.

Check Version:

sudo /usr/local/bin/bpriv --version && sw_vers

Verify Fix Applied:

Verify BeyondTrust version is 5.7+ and macOS is 10.15.5+ or has Security Update 2020-003 applied.

📡 Detection & Monitoring

Log Indicators:

Unusual root-level process execution during software installation
Script execution from temporary directories with elevated privileges

Network Indicators:

None - local privilege escalation only

SIEM Query:

Process execution events where parent process is installation-related and child process runs as root from /tmp or similar temporary directories.

📊 Metadata

CVE ID: CVE-2021-3187

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: December 11, 2023

Last Updated: May 27, 2025

🔗 References

https://www.beyondtrust.com/docs/release-notes/privilege-management/index.htm Release Notes
https://www.beyondtrust.com/trust-center/security-advisories/bt22-06 Vendor Advisory
https://www.beyondtrust.com/docs/release-notes/privilege-management/index.htm Release Notes
https://www.beyondtrust.com/trust-center/security-advisories/bt22-06 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3187, you might also want to check these: