2017's other wormable file-share RCE, the one nobody remembers, is still on your NAS
Everyone remembers EternalBlue tearing through Windows SMB in 2017. The same year, Samba shipped a fix for SambaCry: upload a library to a writable share, trigger it, get root. It lives on in the NAS and IoT boxes that embed Samba and never update.
2017 is remembered as the year EternalBlue and WannaCry tore through Windows SMB. The Unix world had its own version that spring, and almost nobody talks about it. CVE-2017-7494, nicknamed SambaCry, let a malicious client upload a shared library to a writable Samba share and then trick the server into loading and executing it, yielding remote code execution as the Samba service, which is typically root. The exploit was famously about seven lines long. Samba file servers are the SMB implementation on Linux, Unix, and, critically, the embedded devices in everyone’s closets, and that’s where this bug still lives.
What the bug is
CVE-2017-7494 is a code-injection flaw (CWE-94), CVSS 9.8, in Samba’s handling of Windows named pipes. An attacker who can write to a share uploads a malicious .so file, then references it through a crafted named-pipe path; Samba’s is_known_pipename logic doesn’t restrict the path, so the server dlopen()s and runs the attacker’s library in its own privileged context. It affects Samba from 3.5.0 up to the fixed releases 4.4.14, 4.5.10, and 4.6.4, per Samba’s advisory. A Metasploit module (is_known_pipename) has existed since launch, and CISA added it to the Known Exploited Vulnerabilities catalog on March 30, 2023, with the ransomware flag. In the wild it was used to drop the EternalMiner cryptominer, among other payloads.
The preconditions are the part to internalize, because they’re also where your control is. The attacker needs (1) network access to the Samba service, (2) a share they can write to, and (3) knowledge of that share’s path on the server’s filesystem. None of those is exotic. Writable shares are common, default share paths are guessable, and SMB is frequently reachable on networks that should have segmented it off.
Why it’s still relevant years later
A 2017 Samba bug matters in 2026 for the same reason the Zyxel and CentOS entries do: the patch exists, but a huge population of devices will never receive it. Samba is embedded everywhere. Consumer and small-business NAS appliances from Netgear, QNAP, Synology, and others run it; so do routers, IP cameras, and a long tail of IoT and OT gear. Those devices share two properties that make SambaCry durable: they expose file sharing as their core function, and they’re rarely, if ever, firmware-updated after purchase. A NAS in a closet running an embedded Samba from years ago, with a writable share and SMB reachable, is exactly the target this bug was made for.
And unlike a desktop, a NAS is a data target in its own right. It’s where backups, file shares, and often credentials live. Root on the NAS is root on the thing holding the data you’d most want to protect or ransom.
What to do
- Patch Samba to a fixed version on every server you manage. 4.6.4, 4.5.10, 4.4.14, or later. On maintained Linux distributions this came through normal updates years ago, so the gap is on systems that fell off the patch cycle.
- Inventory and update embedded Samba. This is the hard part and the important one. Find your NAS, router, camera, and appliance fleet, check vendor advisories for CVE-2017-7494, and apply firmware updates. For devices past end-of-life with no fix, the answer is replacement or strict isolation, same as any unpatchable edge device.
- Lock down writable shares and SMB reachability. The exploit needs a writable share and network access to it. Make shares read-only where the workflow allows, require authentication, and never expose SMB (TCP 445) to the internet or untrusted segments. Segmentation alone defeats most realistic attack paths here.
- Apply the Samba mitigation where you can’t patch immediately. Samba documented adding
nt pipe support = noto the[global]section ofsmb.conf, which blocks the named-pipe vector. Test it, as it can affect some client functionality, and treat it as a stopgap. - Hunt on long-exposed file servers. Public exploits have been around since 2017. An internet-reachable or untrusted-network-reachable unpatched Samba should be checked for unexpected
.sofiles in share directories, the Samba process spawning unusual children, and cryptominer activity.
The reframe is about the breadth of “SMB.” When EternalBlue made SMB a household word in security, the attention went to Windows, and the equally-wormable Samba bug that landed the same season got a fraction of the notice. But Samba is the SMB stack on the devices least likely to ever be patched, the appliances people buy, plug in, and forget are running a full file server. Inventory your embedded Samba, lock down your writable shares, and keep SMB off any network it doesn’t belong on. We track the old file-sharing entries because, like the bug itself, they persist longest exactly where nobody’s looking.
Sources
Share
Related field notes
-
Before MOVEit and GoAnywhere, Cl0p's playbook was born on a 20-year-old Accellion box
The Accellion FTA breaches of late 2020 are where Cl0p's mass-data-theft-and-extortion model started. Four CVEs in a legacy file-transfer appliance, exploited to steal data from dozens of organizations. The product was already two decades old and on its way out.
-
The catalog is full of cheap routers and cameras for one reason: they're botnet feedstock
Scroll the KEV catalog and you hit a wall of command-injection bugs in D-Link, TP-Link, DrayTek, ASUS, Netgear, and IP-camera firmware. They're not separate stories. They're the same story: internet-exposed consumer gear that gets conscripted into IoT botnets, and the fix is almost always the same.
-
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
One email, every weekday morning.
You're in. Check your inbox.