What is Samba and why is this vulnerability important?

Samba is the open-source implementation of the SMB/CIFS networking protocol used in Linux and Unix environments to mimic Windows file sharing and authentication. The vulnerability is critical because it affects organizations running Samba as an Active Directory domain controller, potentially allowing unauthenticated attackers to execute arbitrary commands with system-level privileges.

What is the CVSS severity score for CVE-2025-10230?

CVE-2025-10230 has the maximum CVSS score of 10.0, indicating critical severity. This is the highest possible rating and reflects the fact that unauthenticated attackers can achieve complete remote code execution on vulnerable servers.

What Samba versions are affected by CVE-2025-10230?

The vulnerability affects all Samba versions since 4.0. Samba maintainers have released patched versions: 4.23.2, 4.22.5, and 4.21.9. Organizations running vulnerable configurations should update to these versions immediately.

What configuration is required for CVE-2025-10230 to be exploitable?

The vulnerability requires three specific conditions: First, the Samba Server needs to run as Active Directory domain controller (member or standalone servers use a different WINS server that is not vulnerable). Second, WINS support must be active. Third, there must be a custom wins hook script configured in the smb.conf file. By default, WINS support is disabled, but many administrators enable it to integrate legacy applications.

What patches are available for CVE-2025-10230?

Samba maintainers have released updated versions to address CVE-2025-10230: version 4.23.2, version 4.22.5, and version 4.21.9. Organizations running vulnerable configurations should patch as soon as possible to protect against potential exploitation.

What should administrators do about CVE-2025-10230?

Administrators should immediately update to patched Samba versions (4.23.2, 4.22.5, or 4.21.9). They should also avoid setting the wins hook parameter in the smb.conf of a Samba AD Domain Controller. The wins hook parameter is unlikely to be useful on a domain controller, and administrators who use it might want to reconsider that choice even on a patched server.

What mitigation options exist if patching cannot be done immediately?

There are two main mitigation options for CVE-2025-10230. First, removing or disabling the wins hook parameter provides an effective workaround as long as WINS support remains enabled. Second, disabling WINS support altogether by setting wins support equals no restores default safe behavior, but this may disrupt legacy name resolution for organizations that depend on it.

Is WINS support enabled by default in Samba?

No, by default WINS support is disabled in Samba. However, many administrators enable it to integrate legacy applications, which can create the vulnerable configuration when combined with a wins hook script on an Active Directory domain controller.

Does CVE-2025-10230 affect all Samba server configurations?

No, the vulnerability specifically affects Samba servers running as Active Directory domain controllers with WINS support enabled and a custom wins hook script configured. Samba servers running as member servers or standalone servers use a different WINS server implementation that is not vulnerable to this issue.

Advisory

Critical Samba flaw enables remote code execution on Samba servers running as Active Directory domain controllers

Q: What is CVE-2025-10230?

CVE-2025-10230 is a critical command injection vulnerability in Samba with a CVSS score of 10.0 that could allow unauthenticated attackers to achieve complete remote code execution on Samba servers running as Active Directory domain controllers. The vulnerability affects all Samba versions since 4.0 when specific configurations are present.

published: Oct. 16, 2025

Take action: If you're running Samba as an Active Directory domain controller with WINS support and a custom 'wins hook' script enabled, either disable wins hook or upgrade to Samba versions 4.23.2, 4.22.5, or 4.21.9 ASAP. The vulnerability allows command injection in a very weird scenario of using Wins and wins hook. You don't really need wins hook, and it will expose you to being hacked.

Learn More

Security researchers are reporting a critical command injection vulnerability in Samba that could allow unauthenticated attackers to achieve complete remote code execution on Samba servers running as Active Directory domain controllers.

Samba is the open-source implementation of the SMB/CIFS networking protocol used in Linux and Unix environments to mimic Windows file sharing and authentication. The vulnerability affects organizations running Samba as an Active Directory domain controller.

The vulnerability is tracked as CVE-2025-10230 (CVSS score 10.0) and affects all Samba versions since 4.0. The vulnerability requires specific configuration:

The Samba Server needs to run as Active Directory domain controller. 'member' or 'standalone' servers use a different WINS server that is not vulnerable
WINS support is active
a custom 'wins hook' script in the smb.conf file.

The WINS server used by the Samba Active Directory Domain Controller does not validate the names passed to the wins hook program, and it passed them by inserting them into a string run by a shell. Because the WINS server passes names directly into a shell command, an attacker can craft a malicious NetBIOS name containing shell metacharacters whih trigger the execution of arbitrary commands with system-level privileges.

By default, wins support is disabled, but many administrators enable it to integrate legacy applications.

Samba maintainers released updated versions: 4.23.2, 4.22.5, and 4.21.9. Organizations running vulnerable configurations should patch ASAP.

Administrators should avoid setting the 'wins hook' parameter in the smb.conf of a Samba AD Domain Controller. Removing or disabling the wins hook parameter provides an effective workaround, as long as WINS support remains enabled. Alternatively, disabling WINS support altogether (wins support = no) restores default safe behavior, but this may disrupt legacy name resolution.

The 'wins hook' parameter is unlikely to be useful on a domain controller, and administrators who use it might want to reconsider that choice even on a patched server.

Critical Samba flaw enables remote code execution on Samba servers running as Active Directory domain controllers

Read More
Click Studios reports authentication bypass vulnerability in their …
Apache patches critical remote code executuion flaw in …
Esri Releases Critical Security Patches for ArcGIS Developer …
SmarterTools Patches Critical Unauthenticated RCE and Active Exploits …
Multiple flaws reported in Rsync, at least one …