OpenWrt luci-app-samba4 Vulnerability Allows Remote Command Execution
A vulnerability in OpenWrt's luci-app-samba4, identified as CVE-2026-59260, allows authenticated delegated users to achieve remote command execution on the Samba daemon by leveraging improper ACLs that grant `file.exec` permission on `/usr/sbin/smbd`.
A high-severity vulnerability, CVE-2026-59260, has been identified in OpenWrt's luci-app-samba4 package, which serves as a web interface for Samba. This flaw stems from an improper read ACL that inadvertently grants file.exec permission on the /usr/sbin/smbd daemon. This misconfiguration allows authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can leverage this by passing arbitrary Samba global options, such as the message command parameter, to a root smbd process. This injection ultimately triggers command execution on the underlying OpenWrt device when SMB protocol messages are processed, leading to remote code execution. This vulnerability poses a significant risk to OpenWrt systems using the vulnerable package, enabling attackers to gain full control over the device.
Attack Chain
- An attacker obtains credentials for an authenticated delegated user on an OpenWrt device running
luci-app-samba4. - The attacker leverages the improper
readACL withinluci-app-samba4that affects the/usr/sbin/smbdexecutable. - The misconfigured ACL grants the authenticated user
file.execpermission on the/usr/sbin/smbddaemon, allowing them to initiate its execution. - The attacker executes the
/usr/sbin/smbdprocess, providing specific command-line arguments that are under their control. - During the execution, the attacker injects malicious Samba global options, such as
-o "message command = /path/to/arbitrary/script.sh", into thesmbdprocess. - The
smbdprocess, running with root privileges, processes subsequent SMB protocol messages containing the injectedmessage command. - The arbitrary command specified in the
message commandoption is then executed with root privileges on the OpenWrt device. - The attacker achieves remote code execution (RCE), gaining full control over the compromised OpenWrt system.
Impact
Successful exploitation of CVE-2026-59260 allows an authenticated delegated user to achieve remote code execution with root privileges on the OpenWrt device. This level of compromise grants the attacker complete control over the network device. The impact includes, but is not limited to, unauthorized access to network resources, manipulation or exfiltration of sensitive data, establishment of persistent backdoors, and the ability to pivot to other systems within the network. This could lead to significant data breaches, service disruptions, or further attacks on connected infrastructure.
Recommendation
- Patch CVE-2026-59260 by updating the
luci-app-samba4package on all affected OpenWrt devices immediately. - Deploy the Sigma rule provided in this brief to your SIEM to detect suspicious
smbdprocess creations. - Enable comprehensive process creation logging for Linux systems to capture full command-line arguments for processes like
smbd.
Detection coverage 1
Detects CVE-2026-59260 Exploitation - smbd with message command
highDetects CVE-2026-59260 exploitation - execution of the smbd daemon with the 'message command' global option, indicative of command injection via improper ACLs in luci-app-samba4.
Detection queries are available on the platform. Get full rules →