CVE-2017-7494

CRITICAL KEV RANSOMWARE LAB

Samba is_known_pipename() Arbitrary Module Load

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2017-7494 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 30, 2023, with confirmed use in ransomware campaigns. EIP tracks 27 public exploits from researchers including Metasploit, steelo, qazbnm456, including a Metasploit module exploits/linux/samba/is_known_pipename.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-7494, a vulnerability in Samba that allows arbitrary shared library loading. It uploads a malicious .so file to a writable SMB share and triggers its execution via a DCERPC call.

Description

Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

Exploits (27)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/42084

This Metasploit module exploits CVE-2017-7494, a vulnerability in Samba that allows arbitrary shared library loading. It uploads a malicious .so file to a writable SMB share and triggers its execution via a DCERPC call.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba 3.5.0 to 4.4.14, 4.5.10, and 4.6.4
Auth required
Prerequisites: Valid SMB credentials · Writable SMB share · Knowledge of server-side path
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by steelo · pythonremotelinux
https://www.exploit-db.com/exploits/42060

This exploit targets CVE-2017-7494, a remote code execution vulnerability in Samba versions 3.5.0 to 4.5.4/4.5.10/4.4.14. It leverages a flaw in the SMB protocol to execute arbitrary code on the target system via a malicious shared library.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba 3.5.0 - 4.5.4/4.5.10/4.4.14
No auth needed
Prerequisites: Network access to the target Samba server · SMB port (445) accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 3,480 stars
by qazbnm456 · poc
https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2017-7494.md

This repository provides a curated list of references and external links to PoCs for CVE-2017-7494, a remote code execution vulnerability in Samba. It includes links to Metasploit modules, GitHub PoCs, and technical analyses but does not contain direct exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (versions 3.5.0 to 4.6.4/4.5.10/4.4.14)
No auth needed
Prerequisites: writable share access · network access to vulnerable Samba server
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 381 stars
by opsxcq · remote
https://github.com/opsxcq/exploit-CVE-2017-7494

This repository contains a functional exploit for CVE-2017-7494 (SambaCry), which allows remote authenticated users to upload a shared library to a writable share and execute arbitrary code via a crafted named pipe. The exploit includes a Python script to trigger the vulnerability and a C-based bind shell payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4
Auth required
Prerequisites: Authenticated access to a writable Samba share · Compiled shared library payload · Network access to the target Samba service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 260 stars
by joxeankoret · remote
https://github.com/joxeankoret/CVE-2017-7494

This is a functional exploit for CVE-2017-7494, a remote code execution vulnerability in Samba. It compiles a malicious shared library, uploads it to a writable share, and loads it to achieve a reverse shell with root privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (versions 3.5.0 to 4.6.4, 4.5.10, 4.4.14)
Auth required
Prerequisites: Network access to vulnerable Samba server · Valid credentials or guest access to a writable share · Compilation environment for the payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 181 stars
by betab0t · remote
https://github.com/betab0t/cve-2017-7494

This repository contains a proof-of-concept exploit for CVE-2017-7494, a remote code execution vulnerability in Samba. The exploit leverages a shared library loaded via a malicious module path to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba 4.5.9
No auth needed
Prerequisites: Samba server with vulnerable version · Access to a writable share
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 63 stars
by Waffles-2 · poc
https://github.com/Waffles-2/SambaCry

This repository contains an Nmap NSE script for detecting CVE-2017-7494, a remote code execution vulnerability in Samba. The script is designed to identify vulnerable Samba servers without exploiting them.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4
No auth needed
Prerequisites: Nmap with NSE support
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 57 stars
by brianwrf · remote
https://github.com/brianwrf/SambaHunter

This is a functional exploit for CVE-2017-7494, a remote code execution vulnerability in Samba versions 3.5.0 to 4.5.4/4.5.10/4.4.14. It generates a shared library payload, uploads it to writable Samba shares, and triggers execution via brute-forced paths.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba 3.5.0 - 4.5.4/4.5.10/4.4.14
No auth needed
Prerequisites: Network access to vulnerable Samba server · gcc for payload compilation · smbclient and pysmbclient installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 14 stars
by xbl3 · poc
https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2017-7494.md

This repository provides a curated list of references and external links to PoCs for CVE-2017-7494, a remote code execution vulnerability in Samba. It includes links to Metasploit modules, GitHub PoCs, and technical analyses but does not contain direct exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (versions 3.5.0 to 4.6.4/4.5.10/4.4.14)
No auth needed
Prerequisites: Writable share access on the target Samba server
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 7 stars
by d3fudd · remote
https://github.com/d3fudd/CVE-2017-7494_SambaCry

This repository contains a functional exploit for CVE-2017-7494 (SambaCry), which leverages a shared library upload and execution to achieve remote code execution via a bind shell. The exploit includes a C-based bind shell payload and a Python script to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4
No auth needed
Prerequisites: Network access to vulnerable Samba server · Write permissions on a shared directory · Samba server with vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by 0xm4ud · remote
https://github.com/0xm4ud/noSAMBAnoCRY-CVE-2017-7494

This repository contains a functional exploit for CVE-2017-7494, a remote code execution vulnerability in Samba. The exploit compiles a malicious shared library, uploads it to a writable share, and triggers its execution via the `is_known_pipename` vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba 3.5.0 to 4.6.4/4.5.10/4.4.14
Auth required
Prerequisites: Network access to vulnerable Samba server · Valid credentials or hashes for authentication · Writable share on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by I-Rinka · poc
https://github.com/I-Rinka/BIT-EternalBlue-for-macOS_Linux

This repository contains a working exploit for CVE-2017-7494, targeting Samba versions 3.5.0 to 4.6.3. It leverages a logic flaw in the `smb_probe_module` function to load a malicious shared library, resulting in remote code execution (RCE) via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba 3.5.0 to 4.6.3
No auth needed
Prerequisites: Network access to vulnerable Samba server · Python 3 with modified impacket library · Compiled malicious payload (shared library)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC 1 stars
by baerle · remote
https://gitlab.com/baerle/exploit-cve-2017-7494

This repository contains a functional exploit for CVE-2017-7494, a remote code execution vulnerability in Samba. It includes a Python exploit script, a bind shell payload, and a Docker environment for testing.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4
Auth required
Prerequisites: authenticated user access · writable share on the target
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 00mjk · remote
https://github.com/00mjk/exploit-CVE-2017-7494

This repository contains a functional exploit for CVE-2017-7494 (SambaCry), which allows remote authenticated users to upload a shared library to a writable share and execute arbitrary code via a crafted named pipe. The exploit includes a bind shell payload and a Python script to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4
Auth required
Prerequisites: Authenticated access to a writable Samba share · Compiled shared library payload (e.g., libbindshell-samba.so)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Zer0d0y · poc
https://github.com/Zer0d0y/Samba-CVE-2017-7494

This repository contains a README linking to a blog post about CVE-2017-7494, a remote code execution vulnerability in Samba. No actual exploit code is present.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba versions 3.5.0 to 4.6.4/4.5.10/4.4.14
No auth needed
Prerequisites: Network access to vulnerable Samba server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by 0x1 · remote
https://gitlab.com/0x1/CVE-2017-7494

This repository contains a functional exploit for CVE-2017-7494, a remote code execution vulnerability in Samba. The exploit compiles a malicious shared library, uploads it to a writable Samba share, and triggers its execution to achieve a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (versions 3.5.0 to 4.6.4/4.5.10/4.4.14)
Auth required
Prerequisites: writable Samba share · network access to target · valid credentials (or guest access)
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by Zanex360 · poc
https://github.com/Zanex360/cdt-vulnsamba-deploy

This repository provides an Ansible-based deployment of a vulnerable Samba server (version 4.5.9) affected by CVE-2017-7494, a critical RCE vulnerability. It is designed for training and competition purposes, allowing attackers to exploit the vulnerability via malicious shared object uploads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba versions 3.5.0 through 4.6.4
No auth needed
Prerequisites: Ubuntu 22.04 target · Ansible 2.12+ · Python 3.x · SSH access to target · TCP port 445 reachable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by Zanex360 · poc
https://github.com/Zanex360/cdt-samba-deploy

This repository contains only a README file describing an Ansible playbook for deploying CVE-2017-7494 (SambaCry) but lacks actual exploit code or implementation details.

Classification
Stub 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Samba versions 3.5.0 to 4.6.4/4.5.10/4.4.14
No auth needed
Prerequisites: Access to a vulnerable Samba server · Ansible environment for deployment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by sudlit · remote
https://github.com/sudlit/CVE-2017-7494

This is a functional exploit for CVE-2017-7494, a remote code execution vulnerability in Samba. It compiles a malicious shared library, uploads it to a writable share, and loads it via a vulnerable RPC endpoint to achieve a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba (versions 3.5.0 to 4.6.4/4.5.10/4.4.14)
Auth required
Prerequisites: Network access to vulnerable Samba server · Writable share or valid credentials · Compilation environment for payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by FelipeR-UFBA · poc
https://github.com/FelipeR-UFBA/cve-2017-7494-fixed

This repository contains a Docker setup for Samba but lacks actual exploit code for CVE-2017-7494. It only starts Samba services and drops into a shell.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Samba (version not specified)
No auth needed
Prerequisites: Docker environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by adjaliya · poc
https://github.com/adjaliya/-CVE-2017-7494-Samba-Exploit-POC

This repository contains a README describing CVE-2017-7494, a critical remote code execution vulnerability in Samba. It provides details on affected versions and the patch release but does not include exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Samba versions < 4.6.4, < 4.5.10, < 4.4.14
No auth needed
Prerequisites: Network access to vulnerable Samba server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cved-sources · poc
https://github.com/cved-sources/cve-2017-7494

This repository contains a vulnerable Docker container for CVE-2017-7494, a remote code execution vulnerability in Samba. The provided files include Samba source code and build configurations, likely used to demonstrate the exploit in a controlled environment.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4
No auth needed
Prerequisites: Network access to a vulnerable Samba server · Ability to send crafted packets to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by Hansindu-M · poc
https://github.com/Hansindu-M/CVE-2017-7494_IT19115344

This repository contains a README describing CVE-2017-7494, a remote code execution vulnerability in Samba, but lacks actual exploit code. It includes a link to a video demonstration.

Classification
Writeup 30%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Samba (versions affected by CVE-2017-7494)
Auth required
Prerequisites: Authenticated access to a Samba share with write permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by incredible1yu · remote
https://github.com/incredible1yu/CVE-2017-7494

This PoC exploits CVE-2017-7494, a remote code execution vulnerability in Samba, by uploading a malicious shared library (`libsamba.so`) and triggering its execution via a crafted pipe name. The library contains a reverse shell payload connecting to a specified IP and port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba versions 3.5.0 to 4.6.4/4.5.10/4.4.14
No auth needed
Prerequisites: Access to a vulnerable Samba server · Network connectivity to the target · Compiled `libsamba.so` with reverse shell payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by homjxi0e · remote
https://github.com/homjxi0e/CVE-2017-7494

This is a Metasploit module for CVE-2017-7494, which exploits a vulnerability in Samba allowing arbitrary shared library load. It requires valid credentials and a writeable share to upload and execute a malicious library.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4
Auth required
Prerequisites: Valid credentials · Writeable SMB share · Knowledge of server-side path
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb

This Metasploit module exploits CVE-2017-7494, a vulnerability in Samba that allows arbitrary shared library loading. It requires valid credentials, a writable SMB share, and server-side path knowledge to upload and execute a malicious payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4
Auth required
Prerequisites: Valid SMB credentials · Writable SMB share · Knowledge of server-side path
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98636
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3860
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42084/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1270
Patch, Vendor Advisory x_refsource_confirm
https://www.samba.org/samba/security/CVE-2017-7494.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1390
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038552
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1273
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1271
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201805-07
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1272
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20170524-0001/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42060/

Scores

CVSS v3 9.8
EPSS 0.9418
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull vulnerables/cve-2017-7494
+20 more repos

Details

CISA KEV 2023-03-30
VulnCheck KEV 2017-12-05
InTheWild.io 2017-07-20
ENISA EUVD EUVD-2017-16511
Ransomware Use Confirmed
CWE
CWE-94
Status published
Products (3)
debian/debian_linux 8.0
samba/samba 3.5.0 - 4.4.0
Samba/samba since 3.5.0
Published May 30, 2017
KEV Added Mar 30, 2023
Tracked Since Feb 18, 2026