A newly disclosed vulnerability in Samba’s WINS server hook script enables unauthenticated attackers to run arbitrary commands on affected domain controllers.
This critical flaw, tracked as CVE-2025-10230, carries a maximum CVSSv3.1 score of 10.0, reflecting its ease of exploitation and devastating impact on confidentiality, integrity, and availability.
Overview of the Vulnerability
The issue arises when Samba’s WINS support is enabled and a domain controller specifies a wins hook parameter in its smb.conf, as reported by Samba.
Under these conditions, any change to a WINS name triggers the specified program without proper input validation.
| CVE ID | Affected Versions | CVSS 3.1 Score | Impact Summary |
| CVE-2025-10230 | All versions since 4.0 | 10.0 | Unauthenticated remote code execution via crafted WINS name on AD controllers |
Because the WINS server passes names directly into a shell command, an attacker can craft a malicious NetBIOS name containing shell metacharacters.
Once the name is processed, the injected payload executes on the server with system-level permissions.
By default, wins support is disabled, but many administrators enable it to integrate legacy applications.
The vulnerability affects all Samba versions from 4.0 onward when running as an Active Directory Domain Controller with WINS support. Non-AD roles and standalone or member servers use a different WINS server implementation and remain unaffected.
The flaw’s critical nature stems from the combination of network exposure, lack of authentication requirements, and full system control upon successful exploitation.
Remote attackers do not need valid credentials, and no user interaction is required beyond sending a specially crafted WINS request.
This opens an organization to data theft, backdoor installation, ransomware deployment, or complete infrastructure takeover.
The high CVSSv3.1 vector string (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) underscores the memory’s read-and-write access at the root level.
Organisations running Samba as a domain controller with WINS enabled should treat this vulnerability as an urgent priority.
Mitigation and Recommendations
Patches for Samba 4.23.2, 4.22.5, and 4.21.9 have been released.
Administrators should upgrade to one of these versions immediately or apply the official patch available on Samba’s security page.
In environments where updating cannot occur at once, removing or disabling the wins hook parameter provides an effective workaround, as long as WINS support remains enabled. Specifically, explicitly setting
wins hook =in the smb.conf will neutralize the vulnerability by preventing command invocation.
Alternatively, disabling WINS support altogether (wins support = no) restores default safe behavior, though this may disrupt legacy name resolution.
Administrators should audit their domain controllers’ configurations to verify that no unnecessary hooks are present.
Future releases of Samba may remove deprecated WINS hook functionality entirely, so teams planning long-term deployments should reconsider reliance on this mechanism.
CVE-2025-10230 represents a severe risk to any organization using Samba AD Domain Controllers with WINS support.
The combination of trivial network-based exploitation and full code execution demands immediate action.
By applying updates or disabling the vulnerable configuration, administrators can protect their networks against remote takeover and preserve the integrity of critical directory services.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
