CVE-2026-27884
Received Received - Intake
Path Traversal in NetExec spider_plus Allows Arbitrary File Overwrite

Publication date: 2026-02-26

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
NetExec is a network execution tool. Prior to version 1.5.1, the module spider_plus improperly creates the output file and folder path when saving files from SMB shares. It does not take into account that it is possible for Linux SMB shares to have path traversal characters such as `../` in them. An attacker can craft a filename in an SMB share that includes these characters, which when spider_plus crawls and downloads, can write or overwrite arbitrary files. The issue is patched in v1.5.1. As a workaround, do not run spider_plus with DOWNLOAD=true against targets.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2026-02-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27884
EUVD
EUVD-2026-8790
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pennyw0rth netexec to 1.5.1 (exc)
pennyw0rth netexec 1.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-27884 is a vulnerability in the spider_plus module of the NetExec tool that allows an attacker to perform arbitrary file writes on the local system. This happens because spider_plus improperly handles filenames received from SMB shares, failing to sanitize path traversal characters such as "../". An attacker can craft filenames containing these traversal sequences, which spider_plus then uses to save files outside the intended directory, potentially overwriting important files.'}, {'type': 'paragraph', 'content': 'The root cause is that the module does not validate or clean the remote file paths before saving them locally, allowing directory traversal attacks. The issue was fixed by normalizing and sanitizing the file paths to remove any traversal components before writing files.'}] [1, 2, 3, 4]


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to overwrite arbitrary files on your system when you run the spider_plus module with the DOWNLOAD option against a malicious SMB share. This could lead to corruption or deletion of important files, potentially "nuking" your system or causing it to behave unpredictably.'}, {'type': 'paragraph', 'content': 'Because the vulnerability allows arbitrary file writes, it poses a high integrity risk, meaning the attacker can modify files without authorization. However, it does not affect confidentiality or availability directly.'}, {'type': 'paragraph', 'content': 'The attack requires network access and user interaction (running spider_plus with DOWNLOAD=true), and has a high attack complexity.'}] [2, 3, 4]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if the spider_plus module of NetExec is being run with the DOWNLOAD=true option against SMB shares, as this triggers the vulnerable file download behavior.'}, {'type': 'paragraph', 'content': "Since the vulnerability arises from path traversal sequences in SMB filenames, monitoring SMB traffic for filenames containing '../' or other traversal characters could help detect attempts to exploit this issue."}, {'type': 'paragraph', 'content': 'Additionally, reviewing logs or debug output from spider_plus for unusual file save paths or errors related to file writes outside expected directories can indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Using network packet capture tools (e.g., tcpdump, Wireshark) to filter SMB traffic and inspect filenames for path traversal patterns.'}, {'type': 'list_item', 'content': "Checking the NetExec spider_plus module logs for file paths containing '../' or unexpected directory escapes."}, {'type': 'list_item', 'content': 'Auditing running NetExec processes or scripts to verify if spider_plus is executed with DOWNLOAD=true.'}] [2, 3, 4]


What immediate steps should I take to mitigate this vulnerability?

The primary immediate mitigation is to avoid running the spider_plus module with the DOWNLOAD=true option against SMB targets until the vulnerability is patched.

Upgrading NetExec to version 1.5.1 or later, where the vulnerability is fixed by sanitizing and normalizing SMB file paths to prevent path traversal, is the recommended permanent solution.

If upgrading immediately is not possible, ensure that any use of spider_plus is done in controlled environments and avoid scanning untrusted SMB shares.

Additionally, auditing other file download functionalities (such as the --get-file option) for similar path traversal vulnerabilities is advised.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart