Critical Samba RCE Flaw CVE-2025-10230 (CVSS 10.0) Allows Unauthenticated Command Injection on AD DCs
Do Son 
The Samba Team has released an urgent security advisory addressing two vulnerabilities, including a critical command injection flaw (CVE-2025-10230) that could allow unauthenticated remote code execution (RCE) on Samba Active Directory Domain Controllers (AD DCs).
The flaw carries a CVSS score of 10.0, the maximum possible, and affects systems where the WINS server feature is enabled with a βwins hookβ parameter configured.
βIf the ‘wins hook’ parameter is set on a domain controller with the WINS server enabled, unauthenticated remote code execution is possible,β the Samba Team warned.
CVE-2025-10230: Command Injection via WINS Server Hook
The issue arises from insufficient input validation in the WINS server implementation of Samba AD DCs. When a WINS name is registered or changed, Samba executes the program defined in the βwins hookβ parameter β but failed to sanitize input data passed to the system shell.
βThe WINS server used by the Samba Active Directory Domain Controller did not validate the names passed to the wins hook program, and it passed them by inserting them into a string run by a shell,β the advisory explains.
This flaw means that a malicious client could send a specially crafted NetBIOS name, including shell metacharacters (such as ; or |), leading to arbitrary command execution on the affected domain controller.
Because the attack requires no authentication, it poses an especially high risk to enterprise networks using outdated or legacy configurations.
βWINS is an obsolete and trusting protocolβ¦ clients can request any name that fits within the 15-character NetBIOS limit. This includes some shell metacharacters, making it possible to run arbitrary commands on the host,β the Samba Team added.
The vulnerability only affects domain controllers with WINS support enabled and a non-empty βwins hookβ parameter. Other Samba servers, such as member servers or standalone hosts, are not impacted.
βThe WINS server used by Samba when it is not a domain controller is unaffected,β the advisory clarifies.
As an immediate mitigation, administrators should avoid setting the βwins hookβ parameter in their smb.conf file on domain controllers.
βAvoid setting the ‘wins hook’ parameter in the smb.conf of a Samba AD Domain Controller,β Samba recommended.
Alternatively, disabling WINS entirely (wins support = no) also removes exposure.
βThe default value for ‘wins support’ is ‘no’, so it is safeβ¦ the combination is safe regardless of ‘wins hook’,β the advisory noted.
The Samba Team also warned that the βwins hookβ functionality is largely deprecated and may be removed in future releases.
βThe ‘wins hook’ parameter is unlikely to be useful on a domain controllerβ¦ it may not be supported in future Samba releases,β the developers stated.
CVE-2025-9640: Memory Disclosure in vfs_streams_xattr
In addition to the RCE bug, Samba patched a second flaw, CVE-2025-9640, rated CVSS 4.3 (Medium), involving an uninitialized memory disclosure in the vfs_streams_xattr module.
βUninitialised memory can be written into alternate data streams, possibly leaking sensitive data,β the advisory explained.
This bug could allow authenticated users to read discarded heap memory samples by issuing write requests that create holes in files, potentially exposing data fragments from previous operations.
βAn authenticated user can read an unlimited number of samples of discarded heap memoryβ¦ due to a failure to initialise memory in streams_xattr_pwrite() in the vfs_streams_xattr file server module,β Samba said.
While Sambaβs memory management practices mitigate the impact β as the system erases known secrets before freeing memory β sensitive data could still be exposed.
βSamba erases known secrets before freeing the associated memory, which somewhat mitigates the data leak,β the team noted.
Systems that do not use vfs_streams_xattr are unaffected, and the issue can be temporarily mitigated by removing the module from the configuration:
βRemoving ‘streams_xattr’ from the ‘vfs objects’ list will avoid the vulnerability but will affect functionality,β Samba advised.
The Samba Team has released patched versions 4.23.2, 4.22.5, and 4.21.9, addressing both vulnerabilities. Administrators are strongly urged to update immediately or apply the patch manually.
Related Posts:
- Samba releases the security update to address two flaws
- DarkGate Malware Makes a Comeback, Exploiting Excel and Samba Shares in Sophisticated Cyberattacks
- Samba Security Alert: Stale Group Data Poses Risk in Kerberos SMB Sessions, No Patch!
- Critical Samba admin password reset flaw
- Samba Issues Security Updates to Patch Three Vulnerabilities
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
