CVE-2025-10230
published 2025-11-07CVE-2025-10230: A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or…
PriorityP182critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
39.68%
98.4th percentile
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | samba | < samba 2:4.17.12+dfsg-0+deb12u3 (bookworm) | samba 2:4.17.12+dfsg-0+deb12u3 (bookworm) |
| samba | samba | >= 0 < 2:4.17.12+dfsg-0+deb12u3 | 2:4.17.12+dfsg-0+deb12u3 |
| samba | samba | >= 0 < 2:4.22.6+dfsg-0+deb13u1 | 2:4.22.6+dfsg-0+deb13u1 |
| samba | samba | >= 0 < 2:4.23.2+dfsg-1 | 2:4.23.2+dfsg-1 |
| samba | samba | >= 0 < 2:4.15.13+dfsg-0ubuntu1.10 | 2:4.15.13+dfsg-0ubuntu1.10 |
| samba | samba | >= 0 < 2:4.19.5+dfsg-4ubuntu9.4 | 2:4.19.5+dfsg-4ubuntu9.4 |
| samba | samba | >= 0 < 2:4.22.3+dfsg-4ubuntu2.1 | 2:4.22.3+dfsg-4ubuntu2.1 |
| samba | samba | >= 0 < 2:4.3.11+dfsg-0ubuntu0.14.04.20+esm15 | 2:4.3.11+dfsg-0ubuntu0.14.04.20+esm15 |
| samba | samba | >= 0 < 2:4.3.11+dfsg-0ubuntu0.16.04.34+esm4 | 2:4.3.11+dfsg-0ubuntu0.16.04.34+esm4 |
| samba | samba | >= 0 < 2:4.7.6+dfsg~ubuntu-0ubuntu2.29+esm3 | 2:4.7.6+dfsg~ubuntu-0ubuntu2.29+esm3 |
| samba | samba | >= 0 < 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm1 | 2:4.15.13+dfsg-0ubuntu0.20.04.8+esm1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable code path executes NetBIOS name data via 'sh -c', so shell metacharacters (e.g., semicolons, backticks, pipes, $()) injected into NetBIOS names in WINS registration packets are the exploit primitive. Detect unexpected child processes spawned by the Samba process (smbd/nmbd/samba) on an AD DC. ↗
- →Exploitation requires Samba configured as an Active Directory Domain Controller with WINS support enabled and a 'wins hook' script configured. Audit smb.conf for 'wins hook' and 'wins support = yes' directives as a precondition indicator. ↗
- →The vulnerability is in the front-end WINS hook handling (wins hook mechanism). Alert on any process execution where the parent process is a Samba daemon (samba, nmbd, smbd) and the child is 'sh' with '-c' argument on an AD DC system. ↗
- ·This vulnerability only affects Samba when deployed as an Active Directory Domain Controller (AD DC) with WINS support enabled. Standard Samba file server deployments are NOT affected. Red Hat explicitly states their RHEL Samba packages are not affected because they do not ship AD DC functionality. ↗
- ·The attack requires no authentication and is reachable over the network, making it trivially exploitable on any exposed Samba AD DC with WINS hook configured. The Samba process often runs as root on a DC, meaning successful exploitation yields full system compromise. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-88qg-f543-x242: A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validatio
ghsa_unreviewed·2025-11-07
CVE-2025-10230 [CRITICAL] CWE-78 GHSA-88qg-f543-x242: A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validatio
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.
OSV
CVE-2025-10230: A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validatio
osv·2025-11-07·CVSS 10.0
CVE-2025-10230 [CRITICAL] CVE-2025-10230: A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validatio
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.
OSV
samba vulnerabilities
osv·2025-10-20·CVSS 10.0
CVE-2025-9640 [CRITICAL] samba vulnerabilities
samba vulnerabilities
USN-7826-1 fixed vulnerabilities in Samba. This update provides the
corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu
18.04 LTS and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Walker discovered that Samba incorrectly initialized memory in the
vfs_streams_xattr module. An authenticated attacker could possibly use this
issue to obtain sensitive information. (CVE-2025-9640)
Igor Morgenstern discovered that Samba incorrectly handled names passed to
the WINS hook program. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2025-10230)
OSV
samba vulnerabilities
osv·2025-10-16·CVSS 10.0
CVE-2025-9640 [CRITICAL] samba vulnerabilities
samba vulnerabilities
Andrew Walker discovered that Samba incorrectly initialized memory in the
vfs_streams_xattr module. An authenticated attacker could possibly use this
issue to obtain sensitive information. (CVE-2025-9640)
Igor Morgenstern discovered that Samba incorrectly handled names passed to
the WINS hook program. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2025-10230)
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2025-10-20·CVSS 10.0
CVE-2025-9640 [CRITICAL] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Several security issues were fixed in Samba.
USN-7826-1 fixed vulnerabilities in Samba. This update provides the
corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu
18.04 LTS and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Walker discovered that Samba incorrectly initialized memory in the
vfs_streams_xattr module. An authenticated attacker could possibly use this
issue to obtain sensitive information. (CVE-2025-9640)
Igor Morgenstern discovered that Samba incorrectly handled names passed to
the WINS hook program. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2025-10230)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2025-10-16·CVSS 10.0
CVE-2025-10230 [CRITICAL] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Several security issues were fixed in Samba.
Andrew Walker discovered that Samba incorrectly initialized memory in the
vfs_streams_xattr module. An authenticated attacker could possibly use this
issue to obtain sensitive information. (CVE-2025-9640)
Igor Morgenstern discovered that Samba incorrectly handled names passed to
the WINS hook program. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2025-10230)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
samba: Command Injection in WINS Server Hook Script
vendor_redhat·2025-10-15·CVSS 10.0
CVE-2025-10230 [CRITICAL] CWE-78 samba: Command Injection in WINS Server Hook Script
samba: Command Injection in WINS Server Hook Script
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain
Debian
CVE-2025-10230: samba - A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names fr...
vendor_debian·2025·CVSS 10.0
CVE-2025-10230 [CRITICAL] CVE-2025-10230: samba - A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names fr...
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.
Scope: local
bookworm: resolved (fixed in 2:4.17.12+dfsg-0+deb12u3)
bullseye: open
forky: resolved (fixed in 2:4.23.2+dfsg-1)
sid: resolved (fixed in 2:4.23.2+dfsg-1)
trixie: resolved (fixed in 2:4.22.6+dfsg-0+deb13u1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://access.redhat.com/security/cve/CVE-2025-10230https://bugzilla.redhat.com/show_bug.cgi?id=2394377https://www.samba.org/samba/history/security.htmlhttps://www.vicarius.io/vsociety/posts/cve-2025-10230-detect-samba-vulnerabilityhttps://www.vicarius.io/vsociety/posts/cve-2025-10230-mitigate-samba-vulnerability
2025-11-07
Published