cbcvebase.
CVE-2025-10230
published 2025-11-07

CVE-2025-10230: A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or…

PriorityP182critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
39.68%
98.4th percentile
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiansamba< samba 2:4.17.12+dfsg-0+deb12u3 (bookworm)samba 2:4.17.12+dfsg-0+deb12u3 (bookworm)
sambasamba>= 0 < 2:4.17.12+dfsg-0+deb12u32:4.17.12+dfsg-0+deb12u3
sambasamba>= 0 < 2:4.22.6+dfsg-0+deb13u12:4.22.6+dfsg-0+deb13u1
sambasamba>= 0 < 2:4.23.2+dfsg-12:4.23.2+dfsg-1
sambasamba>= 0 < 2:4.15.13+dfsg-0ubuntu1.102:4.15.13+dfsg-0ubuntu1.10
sambasamba>= 0 < 2:4.19.5+dfsg-4ubuntu9.42:4.19.5+dfsg-4ubuntu9.4
sambasamba>= 0 < 2:4.22.3+dfsg-4ubuntu2.12:4.22.3+dfsg-4ubuntu2.1
sambasamba>= 0 < 2:4.3.11+dfsg-0ubuntu0.14.04.20+esm152:4.3.11+dfsg-0ubuntu0.14.04.20+esm15
sambasamba>= 0 < 2:4.3.11+dfsg-0ubuntu0.16.04.34+esm42:4.3.11+dfsg-0ubuntu0.16.04.34+esm4
sambasamba>= 0 < 2:4.7.6+dfsg~ubuntu-0ubuntu2.29+esm32:4.7.6+dfsg~ubuntu-0ubuntu2.29+esm3
sambasamba>= 0 < 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm12:4.15.13+dfsg-0ubuntu0.20.04.8+esm1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable code path executes NetBIOS name data via 'sh -c', so shell metacharacters (e.g., semicolons, backticks, pipes, $()) injected into NetBIOS names in WINS registration packets are the exploit primitive. Detect unexpected child processes spawned by the Samba process (smbd/nmbd/samba) on an AD DC.
  • Exploitation requires Samba configured as an Active Directory Domain Controller with WINS support enabled and a 'wins hook' script configured. Audit smb.conf for 'wins hook' and 'wins support = yes' directives as a precondition indicator.
  • The vulnerability is in the front-end WINS hook handling (wins hook mechanism). Alert on any process execution where the parent process is a Samba daemon (samba, nmbd, smbd) and the child is 'sh' with '-c' argument on an AD DC system.
  • ·This vulnerability only affects Samba when deployed as an Active Directory Domain Controller (AD DC) with WINS support enabled. Standard Samba file server deployments are NOT affected. Red Hat explicitly states their RHEL Samba packages are not affected because they do not ship AD DC functionality.
  • ·The attack requires no authentication and is reachable over the network, making it trivially exploitable on any exposed Samba AD DC with WINS hook configured. The Samba process often runs as root on a DC, meaning successful exploitation yields full system compromise.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.