CVE-2026-4408: Samba Remote Command Execution via Misconfigured Password Check Script
CVE-2026-4408 describes a remote command execution vulnerability in Samba file servers and classic domain controllers where a misconfigured 'check password script' feature, using the %u substitution character without proper escaping, allows attackers to execute arbitrary commands.
CVE-2026-4408 describes a critical vulnerability affecting Samba file servers and classic domain controllers. The vulnerability stems from a misconfiguration in the "check password script" feature. When this script is configured to use the %u substitution character, the username supplied by the client is passed to the script without proper escaping of shell meta-characters. This allows a remote attacker to inject arbitrary commands that are then executed on the affected system. This vulnerability is most likely to be present in non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is running as a system service. Defenders should review their Samba configurations to ensure they are not vulnerable.
Attack Chain
- Attacker identifies a Samba server with the 'check password script' feature enabled and configured with the %u substitution character.
- Attacker crafts a malicious username containing shell meta-characters (e.g.,
;,|,&,$()). - Attacker attempts to authenticate to the Samba server using the crafted username and an arbitrary password.
- The Samba server passes the crafted username, without proper escaping, to the configured 'check password script'.
- The 'check password script' executes the injected shell commands due to the presence of unescaped meta-characters in the username.
- The attacker achieves arbitrary command execution on the Samba server with the privileges of the user running the 'samba-dcerpcd' service.
- Attacker leverages the command execution to install a backdoor, escalate privileges, or perform other malicious activities.
Impact
Successful exploitation of CVE-2026-4408 allows a remote attacker to execute arbitrary commands on the affected Samba server. This can lead to complete system compromise, data theft, denial of service, or further propagation within the network. The vulnerability affects Samba file servers and classic domain controllers, potentially impacting organizations relying on these services for file sharing and authentication. The CVSS v3.1 base score for this vulnerability is 9.0, indicating a critical severity.
Recommendation
- Review Samba configurations for the 'check password script' feature and the use of the %u substitution character as described in the overview.
- Apply appropriate input validation and sanitization to user-supplied data passed to the 'check password script'.
- Deploy the Sigma rules provided in this brief to your SIEM to detect exploitation attempts targeting CVE-2026-4408.
Detection coverage 2
Detect CVE-2026-4408 Exploitation Attempt via Malicious Username
criticalDetects CVE-2026-4408 exploitation - Attempts to authenticate to Samba with a username containing shell meta-characters, indicating a potential command injection attempt via a misconfigured 'check password script'.
Detect CVE-2026-4408 Exploitation - Password Check Script Execution of Suspicious Commands
highDetects CVE-2026-4408 exploitation - Monitors process creation events for commands executed by the 'check password script' that contain suspicious shell metacharacters indicating command injection.
Detection queries are available on the platform. Get full rules →