CVE-2025-0620 — Files or Directories Accessible to External Parties in Samba

CWE-552 — Files or Directories Accessible to External Parties CWE-282 — Improper Ownership Management8 documents7 sources

Severity

4.9MEDIUMNVD

EPSS

0.6%

top 31.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samba

Timeline

PublishedJun 6

Latest updateJun 10

Description

A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶NVDsamba/samba4.21.0 — 4.21.6+1

▶Debiansamba/samba< 2:4.22.2+dfsg-1+1

🔴Vulnerability Details

OSV

CVE-2025-0620: A flaw was found in Samba↗2025-06-06

▶

GHSA

GHSA-8q8w-8225-6gq4: A flaw was found in Samba↗2025-06-06

▶

CVEList

Samba: smbd doesn't pick up group membership changes when re-authenticating an expired smb session↗2025-06-06

▶

📋Vendor Advisories

Ubuntu

Samba vulnerability↗2025-06-10

▶

Red Hat

screen: Screen by Default Creates World Writable PTYs↗2025-05-13

▶

Debian

CVE-2025-0620: samba - A flaw was found in Samba. The smbd service daemon does not pick up group member...↗2025

▶

Red Hat

samba: smbd doesn't pick up group membership changes when re-authenticating an expired SMB session↗2024-06-03

▶