CVE-2026-27884 is a path traversal vulnerability classified under CWE-22 affecting Pennyw0rth's NetExec tool, a network execution utility. The vulnerability exists in the spider_plus module prior to version 1.5.1, which is responsible for crawling SMB shares and saving files locally. The flaw arises because spider_plus does not properly sanitize or restrict pathname inputs when creating output files and directories. Specifically, it fails to handle path traversal characters such as '../' embedded in filenames on Linux SMB shares. An attacker controlling or influencing the SMB share can craft filenames containing these sequences, causing spider_plus to write files outside the intended directory scope. This can lead to arbitrary file overwrite or creation on the host running spider_plus, potentially allowing an attacker to modify configuration files, inject malicious scripts, or disrupt system operations. The vulnerability requires the attacker to have network access to the SMB share and to trick or convince the user to run spider_plus with the DOWNLOAD=true option enabled, which triggers the file saving behavior. No authentication is required to exploit the SMB share itself, but user interaction is necessary to initiate the download. The issue has been patched in NetExec version 1.5.1. No public exploits have been reported yet, but the vulnerability poses a risk due to the potential for arbitrary file writes. The CVSS v3.1 score is 5.3 (medium), reflecting network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact.

The primary impact of this vulnerability is the ability for an attacker to overwrite or create arbitrary files on the system running the vulnerable NetExec spider_plus module. This can compromise system integrity by allowing modification of critical configuration files, insertion of malicious code, or disruption of normal operations. While confidentiality is not directly affected, integrity violations can lead to privilege escalation, persistence, or further compromise if the attacker can inject scripts or binaries executed by privileged processes. Availability impact is minimal as the vulnerability does not directly cause denial of service. The requirement for user interaction and the need to run spider_plus with DOWNLOAD=true limits the attack surface but does not eliminate risk, especially in environments where SMB shares are accessible and users may run the tool with unsafe options. Organizations relying on NetExec for network execution and SMB share crawling could face targeted attacks aiming to manipulate local files, potentially impacting operational security and trustworthiness of systems. The lack of known exploits reduces immediate risk but patching is critical to prevent future exploitation.

1. Upgrade Pennyw0rth NetExec to version 1.5.1 or later, where the vulnerability is patched. 2. Until patching is possible, avoid running the spider_plus module with the DOWNLOAD=true option, especially against untrusted or external SMB shares. 3. Restrict access to SMB shares to trusted users and systems only, minimizing exposure to maliciously crafted filenames. 4. Implement strict input validation and sanitization on SMB shares if possible, preventing filenames with path traversal sequences. 5. Monitor logs and file system changes on systems running NetExec for unexpected file writes or modifications outside expected directories. 6. Employ application whitelisting and integrity monitoring to detect unauthorized file changes. 7. Educate users and administrators about the risks of running spider_plus with unsafe options and the importance of applying updates promptly. 8. Consider network segmentation to isolate systems running NetExec from untrusted SMB shares or networks. These steps go beyond generic advice by focusing on controlling the specific attack vector (SMB shares and spider_plus usage) and monitoring for exploitation signs.