{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/luci-app-samba4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-59260"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["luci-app-samba4"],"_cs_severities":["high"],"_cs_tags":["openwrt","samba","cve","rce","network","linux"],"_cs_type":"advisory","_cs_vendors":["OpenWrt"],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-59260, has been identified in OpenWrt's luci-app-samba4 package, which serves as a web interface for Samba. This flaw stems from an improper \u003ccode\u003eread\u003c/code\u003e ACL that inadvertently grants \u003ccode\u003efile.exec\u003c/code\u003e permission on the \u003ccode\u003e/usr/sbin/smbd\u003c/code\u003e daemon. This misconfiguration allows authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can leverage this by passing arbitrary Samba global options, such as the \u003ccode\u003emessage command\u003c/code\u003e parameter, to a root \u003ccode\u003esmbd\u003c/code\u003e process. This injection ultimately triggers command execution on the underlying OpenWrt device when SMB protocol messages are processed, leading to remote code execution. This vulnerability poses a significant risk to OpenWrt systems using the vulnerable package, enabling attackers to gain full control over the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains credentials for an authenticated delegated user on an OpenWrt device running \u003ccode\u003eluci-app-samba4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the improper \u003ccode\u003eread\u003c/code\u003e ACL within \u003ccode\u003eluci-app-samba4\u003c/code\u003e that affects the \u003ccode\u003e/usr/sbin/smbd\u003c/code\u003e executable.\u003c/li\u003e\n\u003cli\u003eThe misconfigured ACL grants the authenticated user \u003ccode\u003efile.exec\u003c/code\u003e permission on the \u003ccode\u003e/usr/sbin/smbd\u003c/code\u003e daemon, allowing them to initiate its execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003e/usr/sbin/smbd\u003c/code\u003e process, providing specific command-line arguments that are under their control.\u003c/li\u003e\n\u003cli\u003eDuring the execution, the attacker injects malicious Samba global options, such as \u003ccode\u003e-o \u0026quot;message command = /path/to/arbitrary/script.sh\u0026quot;\u003c/code\u003e, into the \u003ccode\u003esmbd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esmbd\u003c/code\u003e process, running with root privileges, processes subsequent SMB protocol messages containing the injected \u003ccode\u003emessage command\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe arbitrary command specified in the \u003ccode\u003emessage command\u003c/code\u003e option is then executed with root privileges on the OpenWrt device.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution (RCE), gaining full control over the compromised OpenWrt system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59260 allows an authenticated delegated user to achieve remote code execution with root privileges on the OpenWrt device. This level of compromise grants the attacker complete control over the network device. The impact includes, but is not limited to, unauthorized access to network resources, manipulation or exfiltration of sensitive data, establishment of persistent backdoors, and the ability to pivot to other systems within the network. This could lead to significant data breaches, service disruptions, or further attacks on connected infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59260 by updating the \u003ccode\u003eluci-app-samba4\u003c/code\u003e package on all affected OpenWrt devices immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect suspicious \u003ccode\u003esmbd\u003c/code\u003e process creations.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive process creation logging for Linux systems to capture full command-line arguments for processes like \u003ccode\u003esmbd\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:25:02Z","date_published":"2026-07-12T12:25:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/","summary":"A vulnerability in OpenWrt's luci-app-samba4, identified as CVE-2026-59260, allows authenticated delegated users to achieve remote command execution on the Samba daemon by leveraging improper ACLs that grant `file.exec` permission on `/usr/sbin/smbd`.","title":"OpenWrt luci-app-samba4 Vulnerability Allows Remote Command Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Luci-App-Samba4","version":"https://jsonfeed.org/version/1.1"}