Samba has disclosed a severe remote code execution (RCE) flaw that could allow attackers to hijack Active Directory domain controllers.
Tracked as CVE-2025-10230, the vulnerability stems from improper validation in the Windows Internet Name Service (WINS) hook mechanism, earning a perfect CVSS 3.1 score of 10.0 for its ease of exploitation and devastating potential impact.
Samba, the open-source implementation of the SMB/CIFS networking protocol widely used in Linux and Unix environments to mimic Windows file sharing and authentication, has long been a cornerstone for cross-platform enterprise networks.
However, this flaw exposes organizations relying on it as an Active Directory Domain Controller (AD DC) to unauthenticated attacks.
Discovered by security researcher Igor Morgenstern of Aisle Research, the issue affects all Samba versions since 4.0 when specific configurations are enabled, namely, WINS support and a custom ‘wins hook’ script in the smb.conf file.
Samba RCE Vulnerability
WINS, a deprecated Microsoft protocol from the pre-DNS era, resolves NetBIOS names in legacy Windows networks.
By default, WINS support is disabled in Samba, but when activated on an AD DC alongside the ‘wins hook’ parameter, which triggers an external script on name changes, the system becomes a sitting duck.
Attackers can send crafted WINS name registration requests containing shell metacharacters within the 15-character NetBIOS limit.
These inject arbitrary commands into the hook script, executed via a shell without any authentication or user interaction required.
The vulnerability’s scope is narrow but perilous: it only impacts Samba in AD DC mode (roles like ‘domain controller’ or ‘active directory domain controller’).
Standalone or member servers, which use a different WINS implementation, remain unaffected. In practice, this could let remote threat actors on the network pivot to full system compromise, exfiltrating sensitive data, deploying ransomware, or escalating privileges in hybrid Windows-Linux setups common in enterprises.
Mitigations
Samba maintainers acted swiftly, releasing patches to their security portal and issuing updated versions: 4.23.2, 4.22.5, and 4.21.9.
Administrators should prioritize upgrades, especially in environments with legacy WINS dependencies.
As a workaround, disable the ‘wins hook’ parameter entirely or set ‘wins support = no’ in smb.conf Samba’s default configuration already avoids this risky combo, making most setups safe out of the box.
Experts urge a broader review: WINS is obsolete, and its use on modern domain controllers is rare and inadvisable. Even post-patch, admins might disable hooks altogether, as future Samba releases could drop support.
With attack surfaces expanding in hybrid clouds, this incident underscores the need to audit and phase out antiquated protocols before they become entry points for nation-state actors or cybercriminals.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
