Samba vulnerable via critical flaw with specific configuration
With WINS support enabled, attackers can remotely execute commands under certain conditions. There are important patches and a workaround.
(Image: Sashkin/Shutterstock.com)
Admins of Samba Active Directory (AD) domain controllers who have enabled WINS (Windows Internet Name Service) support on the servers they manage and have additionally set the “wins hook” parameter should act quickly: A critical vulnerability with a maximum CVSS score of 10.0 “Critical” exists in the open-source implementation of the SMB protocol, targeting precisely this non-default configuration.
All Samba versions since 4.0 are vulnerable with the appropriate configuration. The developers have provided patches (Samba 4.23.2, 4.22.5, and 4.21.9) and published a workaround.
The Samba Advisory for CVE-2025-10230 details all vulnerability information; the patches can be downloaded from the Security Release Site.
Remote Code Execution without Authentication
According to Samba developers, the security vulnerability is based on inadequate validation mechanisms of the outdated WINS protocol for central name resolution in local networks. Clients registering their names with the server could apparently choose any name (“clients can request any name that fits within the 15-character NetBIOS limit”) and also transmit shell metacharacters.
In this way, unauthenticated attackers could have, in the worst case, issued malicious commands remotely and executed code (remote code execution).
Workaround via smb.conf
Whether WINS support has been enabled can be checked in smb.conf (also as a precaution). By default, it is inactive, and the “wins hook” parameter is also not set.
Samba developers, in their advisory, refer to the following combination as “secure” – and thus also as a workaround –:
server role = domain controller
wins support = no
If WINS support is disabled, the parameter value assigned to “wins hook” (also part of smb.conf) is irrelevant. For added security, set it to an empty value:
wins hook =
Also important: If “server role” in the configuration file smb.conf is not set to “domain controller” (or one of its synonyms, “active directory domain controller” or “dc”), the server is generally not vulnerable to this exploit, according to the developers.
Further Vulnerability with “Medium” Rating Fixed
In the course of patching, as described on the release site, a second security vulnerability (CVE-2025-9640) was also fixed, which is rated with a CVSS score of only 4.3.
However, since this affects all Samba versions since 3.2 and does not depend on specific configurations, it is also worth mentioning and noting. Under certain circumstances, it could be exploited to read sensitive data.
(ovw)
