⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2023-04-20.

CVE-2017-7494 — Code Injection in Samba

CWE-94 — Code Injection CWE-20 — Improper Input Validation41 documents22 sources

Severity

9.8CRITICALNVD

EPSS

94.2%

top 0.07%

CISA KEV

KEVRansomware

Added 2023-03-30

Due 2023-04-20

Exploit

Exploited in wild

Active exploitation observed

Affected products

Samba Debian Samba Debian Linux

Timeline

PublishedMay 30

KEV addedMar 30

KEV dueApr 20

Latest updateOct 28

CISA Required Action: Apply updates per vendor instructions.

Description

Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDsamba/samba3.5.0 — 4.4.0+3

▶debiandebian/samba< samba 2:4.5.8+dfsg-2 (bookworm)

▶Debiansamba/samba< 2:4.5.8+dfsg-2+3

▶CVEListV5samba/sambasince 3.5.0

Also affects: Debian Linux 8.0

Patches

Patch: www.samba.org ↗Patch: www.samba.org ↗

🔴Vulnerability Details

GHSA

GHSA-453q-q3mp-9cq4: Samba since version 3↗2022-05-14

▶

OSV

CVE-2017-7494: Samba since version 3↗2017-05-30

▶

VulnCheck

Samba Remote Code Execution Vulnerability↗2017

▶

💥Exploits & PoCs

Exploit-DB

Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)↗2017-05-29

▶

Exploit-DB

Samba 3.5.0 - Remote Code Execution↗2017-05-24

▶

Metasploit

Samba is_known_pipename() Arbitrary Module Load↗

▶

🔍Detection Rules

Suricata

ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)↗2017-06-16

▶

Suricata

ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)↗2017-05-25

▶

Suricata

ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)↗2017-05-25

▶

📋Vendor Advisories

CISA

Samba Remote Code Execution Vulnerability↗2023-03-30

▶

CISA ICS

Schneider Electric U.motion Builder (Update A)↗2017-06-29

▶

Cisco

Vulnerability in Samba Affecting Cisco Products: May 2017↗2017-05-30

▶

Ubuntu

Samba vulnerability↗2017-05-24

▶

Ubuntu

Samba vulnerability↗2017-05-24

▶

🕵️Threat Intelligence

Trendmicro

The Samba Vulnerability: What is CVE-2021-44142 and How to Fix It↗2022-02-02

▶

Trendmicro

La vulnerabilidad de Samba: qué es CVE-2021-44142 y cómo solucionarlo↗2022-02-02

▶

Securelist

SambaCry is coming↗2017-06-09

▶

Securelist

SambaCry is coming↗2017-06-09

▶

Qualys

Samba Vulnerability CVE-2017-7494↗2017-05-26

▶

📄Research Papers

arXiv

Cybersecurity AI Benchmark (CAIBench): A Meta-Benchmark for Evaluating Cybersecurity AI Agents↗2025-10-28

▶

arXiv

Real-World Usability of Vulnerability Proof-of-Concepts: A Comprehensive Study↗2025-10-21

▶

arXiv

xOffense: An AI-driven autonomous penetration testing framework with offensive knowledge-enhanced LLMs and multi agent systems↗2025-09-16

▶

arXiv

PentestAgent: Incorporating LLM Agents to Automated Penetration Testing↗2025-05-29

▶

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2017-7494 samba: Loading shared modules from any path in the system leading to RCE (SambaCry) [fedora-all]↗2017-05-24

▶

Bugzilla

CVE-2017-7494 samba: Loading shared modules from any path in the system leading to RCE (SambaCry)↗2017-05-12

▶