CVE-2026-27884 is a medium-severity path traversal vulnerability identified in the Pennyw0rth NetExec tool, a network execution utility widely used for automated SMB share crawling and file retrieval. The vulnerability exists in the spider_plus module prior to version 1.5.1, where the software improperly handles output file and folder paths when saving files downloaded from SMB shares. Specifically, the module does not sanitize or restrict pathname components that include traversal sequences such as '../', which are valid in Linux SMB shares. An attacker with control over filenames on an SMB share can embed these traversal characters to manipulate the destination path on the local filesystem where spider_plus saves files. This manipulation allows writing or overwriting arbitrary files outside the intended directory, potentially leading to unauthorized modification of critical files. The vulnerability requires the spider_plus module to be run with DOWNLOAD=true, and exploitation involves user interaction as the tool must be directed to crawl the malicious SMB share. The CVSS 3.1 base score is 5.3, reflecting network attack vector, high attack complexity, no privileges required, and user interaction needed. The impact is limited to integrity, with no direct confidentiality or availability effects. No public exploits have been reported, and the vendor has addressed the issue in version 1.5.1. As a workaround, users are advised not to run spider_plus with DOWNLOAD=true against untrusted SMB shares until patched.

The primary impact of CVE-2026-27884 is the unauthorized modification or overwriting of files on systems running vulnerable versions of NetExec when spider_plus is used to download files from SMB shares. This can lead to integrity violations, such as replacing configuration files, scripts, or binaries, potentially enabling further compromise or disruption of operations. While confidentiality and availability are not directly affected, the ability to alter files arbitrarily can facilitate privilege escalation, persistence, or sabotage. Organizations relying on NetExec for automated SMB crawling and file retrieval are at risk, especially if they interact with untrusted or external SMB shares. The attack complexity is high due to the need for user interaction and specific configuration, which somewhat limits widespread exploitation. However, targeted attacks against organizations using vulnerable versions could result in significant operational and security consequences. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once the vulnerability is publicly known.

To mitigate CVE-2026-27884, organizations should immediately upgrade Pennyw0rth NetExec to version 1.5.1 or later, where the vulnerability has been patched. Until patching is possible, avoid running the spider_plus module with DOWNLOAD=true against SMB shares, especially those that are untrusted or external. Implement strict access controls and monitoring on SMB shares to prevent attackers from placing malicious filenames containing path traversal sequences. Employ network segmentation to limit exposure of NetExec systems to potentially hostile SMB shares. Additionally, consider auditing and restricting the directories where spider_plus saves files to prevent unauthorized file overwrites. Monitoring file integrity on systems running NetExec can help detect suspicious modifications. Finally, educate users and administrators about the risks of running automated SMB crawlers against untrusted sources and enforce policies to reduce risky configurations.