ProjectDiscovery Interactsh - Files or Directories Accessible to External Parties
Description
Files or Directories Accessible to External Parties vulnerability in smb server in ProjectDiscovery Interactsh allows remote attackers to read/write any files in the directory and subdirectories of where the victim runs interactsh-server via anonymous login.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ProjectDiscovery Interactsh SMB server allows anonymous remote attackers to read/write arbitrary files on the server filesystem.
Overview
CVE-2024-5262 is a CWE-552 vulnerability (Files or Directories Accessible to External Parties) in the SMB server component of ProjectDiscovery Interactsh [3]. The SMB server, a self-hosted feature, does not properly scope the share, allowing an unauthenticated remote attacker to access files outside the intended directory [1][4]. The root cause is insufficient access controls on the SMB share path.
Exploitation
An attacker can exploit this by connecting to the victim's Interactsh SMB server with anonymous login credentials. No prior authentication or network position is required beyond network access to the server [2][3]. The attacker can then read and write files in the directory where Interactsh-server runs, as well as all subdirectories [2][3].
Impact
Successful exploitation gives the attacker arbitrary read and write access to the server's filesystem. This could lead to data exfiltration, file modification, or further compromise of the host system [3].
Mitigation
A fix has been merged in pull request #874, which provides better scoping of the SMB share to limit access to the intended directory [2][4]. Users are advised to update to the latest version of Interactsh. No workaround is provided, but self-hosted users can restrict network access to the SMB server as a temporary measure.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/projectdiscovery/interactshGo | < 1.2.0 | 1.2.0 |
Affected products
4- osv-coords3 versions
< 3.2.8-r2+ 2 more
- (no CPE)range: < 3.2.8-r2
- (no CPE)range: < 3.2.8-r2
- (no CPE)range: < 1.2.0
- ProjectDiscovery/Interactshv5Range: v0.0.6
Patches
16a0cb98b1663Better scoping of smb share (#874)
1 file changed · +6 −1
cmd/interactsh-server/smb_server.py+6 −1 modified@@ -1,6 +1,11 @@ import sys from impacket import smbserver +def configure_shares(server): + shares = ["IPC$", "ADMIN$", "C$", "PRINT$", "FAX$", "NETLOGON", "SYSVOL"] + for share in shares: + server.removeShare(share) + log_filename = "log.txt" if len(sys.argv) >= 2: log_filename = sys.argv[1] @@ -10,7 +15,7 @@ server = smbserver.SimpleSMBServer(listenAddress="0.0.0.0", listenPort=port) server.setSMB2Support(True) -server.addShare("interactsh", "/interactsh") +configure_shares(server) server.setSMBChallenge('') server.setLogFile(log_filename) server.start()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/projectdiscovery/interactsh/pull/874ghsapatchWEB
- github.com/advisories/GHSA-q5mg-pc7r-r8crghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-5262ghsaADVISORY
- zuso.ai/advisory/za-2024-01ghsathird-party-advisoryWEB
- github.com/projectdiscovery/interactsh/commit/6a0cb98b16636a98712729f3d23e34d8bf7260e7ghsaWEB
- pkg.go.dev/vuln/GO-2024-2907ghsaWEB
News mentions
0No linked articles in our index yet.