<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Luci-App-Samba4 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/luci-app-samba4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 12 Jul 2026 12:25:02 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/luci-app-samba4/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenWrt luci-app-samba4 Vulnerability Allows Remote Command Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/</link><pubDate>Sun, 12 Jul 2026 12:25:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openwrt-samba4-rce/</guid><description>A vulnerability in OpenWrt's luci-app-samba4, identified as CVE-2026-59260, allows authenticated delegated users to achieve remote command execution on the Samba daemon by leveraging improper ACLs that grant `file.exec` permission on `/usr/sbin/smbd`.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, CVE-2026-59260, has been identified in OpenWrt's luci-app-samba4 package, which serves as a web interface for Samba. This flaw stems from an improper <code>read</code> ACL that inadvertently grants <code>file.exec</code> permission on the <code>/usr/sbin/smbd</code> daemon. This misconfiguration allows authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can leverage this by passing arbitrary Samba global options, such as the <code>message command</code> parameter, to a root <code>smbd</code> process. This injection ultimately triggers command execution on the underlying OpenWrt device when SMB protocol messages are processed, leading to remote code execution. This vulnerability poses a significant risk to OpenWrt systems using the vulnerable package, enabling attackers to gain full control over the device.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains credentials for an authenticated delegated user on an OpenWrt device running <code>luci-app-samba4</code>.</li>
<li>The attacker leverages the improper <code>read</code> ACL within <code>luci-app-samba4</code> that affects the <code>/usr/sbin/smbd</code> executable.</li>
<li>The misconfigured ACL grants the authenticated user <code>file.exec</code> permission on the <code>/usr/sbin/smbd</code> daemon, allowing them to initiate its execution.</li>
<li>The attacker executes the <code>/usr/sbin/smbd</code> process, providing specific command-line arguments that are under their control.</li>
<li>During the execution, the attacker injects malicious Samba global options, such as <code>-o &quot;message command = /path/to/arbitrary/script.sh&quot;</code>, into the <code>smbd</code> process.</li>
<li>The <code>smbd</code> process, running with root privileges, processes subsequent SMB protocol messages containing the injected <code>message command</code>.</li>
<li>The arbitrary command specified in the <code>message command</code> option is then executed with root privileges on the OpenWrt device.</li>
<li>The attacker achieves remote code execution (RCE), gaining full control over the compromised OpenWrt system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-59260 allows an authenticated delegated user to achieve remote code execution with root privileges on the OpenWrt device. This level of compromise grants the attacker complete control over the network device. The impact includes, but is not limited to, unauthorized access to network resources, manipulation or exfiltration of sensitive data, establishment of persistent backdoors, and the ability to pivot to other systems within the network. This could lead to significant data breaches, service disruptions, or further attacks on connected infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-59260 by updating the <code>luci-app-samba4</code> package on all affected OpenWrt devices immediately.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect suspicious <code>smbd</code> process creations.</li>
<li>Enable comprehensive process creation logging for Linux systems to capture full command-line arguments for processes like <code>smbd</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>openwrt</category><category>samba</category><category>cve</category><category>rce</category><category>network</category><category>linux</category></item></channel></rss>