diff --git a/CHANGELOG b/CHANGELOG
index b93c57050..c3aec3872 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,7 @@ CHANGELOG Roundcube Webmail
 - Managesieve: Replace "Filter disabled" with "Filter enabled" (#7028)
 - Managesieve: Fix so modifier type select wasn't hidden after hiding modifier select on header change
 - Managesieve: Fix filter selection after removing a first filter (#7079)
+- Password: Fix kpasswd and smb drivers' double-escaping bug (#7092)
 - Enigma: Add script to import keys from filesystem to the db storage (for multihost)
 - Installer: Fix DB Write test on SQLite database ("database is locked" error) (#7064)
 - Installer: Fix so SQLite DSN with a relative path to the database file works in Installer
diff --git a/plugins/password/drivers/kpasswd.php b/plugins/password/drivers/kpasswd.php
index 78abe7293..fbee8b7b3 100644
--- a/plugins/password/drivers/kpasswd.php
+++ b/plugins/password/drivers/kpasswd.php
@@ -19,8 +19,8 @@ class rcube_kpasswd_password
 {
     public function save($currpass, $newpass, $username)
     {
-        $bin      = rcmail::get_instance()->config->get('password_kpasswd_cmd', '/usr/bin/kpasswd');
-        $cmd      = $bin . ' "' . escapeshellarg($username) . '" 2>&1';
+        $bin = rcmail::get_instance()->config->get('password_kpasswd_cmd', '/usr/bin/kpasswd');
+        $cmd = $bin . ' ' . escapeshellarg($username) . ' 2>&1';
 
         $handle = popen($cmd, "w");
         fwrite($handle, $currpass."\n");
diff --git a/plugins/password/drivers/pw_usermod.php b/plugins/password/drivers/pw_usermod.php
index d439d6fb2..65bc8c96c 100644
--- a/plugins/password/drivers/pw_usermod.php
+++ b/plugins/password/drivers/pw_usermod.php
@@ -32,7 +32,7 @@ class rcube_pw_usermod_password
 {
     public function save($currpass, $newpass, $username)
     {
-        $cmd = rcmail::get_instance()->config->get('password_pw_usermod_cmd');
+        $cmd = rcmail::get_instance()->config->get('password_pw_usermod_cmd', 'sudo /usr/sbin/pw usermod -h 0 -n');
         $cmd .= ' ' . escapeshellarg($username) . ' > /dev/null';
 
         $handle = popen($cmd, 'w');
diff --git a/plugins/password/drivers/smb.php b/plugins/password/drivers/smb.php
index 5d916d24a..a8148f999 100644
--- a/plugins/password/drivers/smb.php
+++ b/plugins/password/drivers/smb.php
@@ -41,11 +41,11 @@ class rcube_smb_password
 
     public function save($currpass, $newpass, $username)
     {
-        $host     = rcmail::get_instance()->config->get('password_smb_host','localhost');
-        $bin      = rcmail::get_instance()->config->get('password_smb_cmd','/usr/bin/smbpasswd');
+        $host     = rcmail::get_instance()->config->get('password_smb_host', 'localhost');
+        $bin      = rcmail::get_instance()->config->get('password_smb_cmd', '/usr/bin/smbpasswd');
         $host     = rcube_utils::parse_host($host);
-        $tmpfile  = tempnam(sys_get_temp_dir(),'smb');
-        $cmd      = $bin . ' -r ' . escapeshellarg($host) . ' -s -U "' . escapeshellarg($username) . '" > ' . $tmpfile . ' 2>&1';
+        $tmpfile  = tempnam(sys_get_temp_dir(), 'smb');
+        $cmd      = $bin . ' -r ' . escapeshellarg($host) . ' -s -U ' . escapeshellarg($username) . ' > ' . $tmpfile . ' 2>&1';
         $handle   = @popen($cmd, 'w');
 
         fwrite($handle, $currpass."\n");