Critical Samba WINS Command Injection Vulnerability Allowing Unauthenticated RCE on Domain Controllers
Samba has released a security update to address a critical remote command execution (RCE) vulnerability, tracked as CVE-2025-10230, which affects its Windows Internet Name Service (WINS) implementation when used as an Active Directory (AD) domain controller. The flaw arises because Samba does not strictly validate the wins hook script command when processing registration messages, allowing unauthenticated attackers to craft special hostnames that inject arbitrary commands into the target server. This vulnerability is rated with a maximum CVSS score of 10.0, indicating its severity and the potential for complete system compromise. The issue impacts multiple versions of Samba, specifically versions up to 4.23.1, 4.22.4, and 4.21.8, but only when Samba is configured as a domain controller with WINS support enabled and the wins hook parameter set. Systems running unaffected versions, such as Samba 4.23.2, 4.22.5, and 4.21.9 or later, are not vulnerable. The vulnerability allows attackers to execute commands with the privileges of the Samba process, which could lead to full control over the affected domain controller. Exploitation does not require authentication, significantly increasing the risk to exposed systems. Samba has released patched versions to address the flaw, and administrators are strongly urged to upgrade to the latest secure releases as soon as possible. As a temporary mitigation, organizations can disable the wins hook parameter and ensure that WINS support is not enabled unless absolutely necessary. The vulnerability is not enabled by default, but environments that have manually enabled WINS support and the wins hook parameter are at immediate risk. Security advisories recommend that users review their Samba configurations and apply the official patches or mitigations without delay. The flaw was publicly disclosed in mid-October 2025, and security researchers have highlighted the ease of exploitation and the critical nature of the risk. Organizations running Samba as an AD domain controller should prioritize remediation efforts to prevent potential compromise. The vulnerability underscores the importance of strict input validation and secure configuration practices in critical infrastructure components. The official Samba project has provided detailed guidance and download links for the patched versions. Failure to address this vulnerability could result in significant operational and security impacts, including domain-wide compromise and lateral movement by attackers. Security teams are advised to monitor for signs of exploitation and to audit their Samba deployments for vulnerable configurations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Samba releases patches and mitigation guidance for CVE-2025-10230
Samba released security updates to fix CVE-2025-10230 in versions 4.23.2+, 4.22.5+, and 4.21.9+, with affected versions including 4.23.1 and earlier, 4.22.4 and earlier, and 4.21.8 and earlier. As temporary mitigations, guidance recommended disabling the wins hook and setting wins support to no on domain controller deployments where feasible.
Samba discloses CVE-2025-10230 command injection flaw
A critical unauthenticated command injection vulnerability, CVE-2025-10230, was disclosed in Samba affecting deployments used as Active Directory domain controllers with WINS support enabled and a wins hook script configured. The flaw allows a specially crafted host name in a registration message to trigger remote code execution in the context of the Samba process and was rated CVSS 10.0.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Samba WINS Command Injection Vulnerability (CVE-2025-10230) Notice
securityboulevard.com
Open sourceCritical Samba RCE Flaw CVE-2025-10230 (CVSS 10.0) Allows Unauthenticated Command Injection on AD DCs
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Samba Command Injection Flaws Expose Internet-Facing Servers to Remote Takeover
Multiple critical Samba flaws have highlighted how non-default but dangerous configurations can turn exposed file-sharing infrastructure into a remote code execution path. `CVE-2025-10230` affects Samba's WINS server on Active Directory Domain Controllers when WINS support is enabled and a non-empty `wins hook` is configured, allowing an unauthenticated attacker to send a crafted WINS registration packet to UDP port `137` and inject shell metacharacters into a command executed by Samba, potentially with root privileges. Separately, `CVE-2026-4480` and `CVE-2026-4408`, both rated `CVSS 10.0`, affect Samba's printing subsystem and DCE/RPC SAMR server when administrators use vulnerable `print command` or `check password script` settings with `%J` or `%u` substitution characters. Samba issued fixes for the WINS flaw in versions `4.23.2`, `4.22.5`, and `4.21.9`, and for the later command-injection issues in `4.22.10`, `4.23.8`, and `4.24.3`. Reporting on internet exposure said more than 63,000 Samba assets were reachable on TCP `445`, underscoring the risk that misconfigured public SMB services could be used for server takeover, credential theft, ransomware deployment, and lateral movement. Defenders were urged to patch affected releases, audit `smb.conf` for risky `wins hook`, `print command`, and password-check script settings, monitor UDP `137` and SMB activity for suspicious behavior, and restrict external access with firewalls, VPNs, or IP allowlists.
Jun 29, 2026Samba fixes unauthenticated and low-privilege RCE flaws in SAMR and printing
Samba released security updates `4.24.3`, `4.23.8`, and `4.22.10` to fix six vulnerabilities affecting SMB, Active Directory, printing, and DCE/RPC components. The most serious issues are **CVE-2026-4408** and **CVE-2026-4480**, command-injection flaws that can lead to remote code execution in specific configurations. **CVE-2026-4408** affects the SAMR DCE/RPC service when `samba-dcerpcd` is used with the `check password script` option and unsafe `%u` expansion, while **CVE-2026-4480** affects the printing subsystem because Samba passed a client-controlled job description through the `%J` substitution in `print command` without properly escaping shell metacharacters.
Jun 29, 2026
Critical Drupal SAML SSO auth bypass and high-severity Samba flaws disclosed
Drupal disclosed **SA-CONTRIB-2026-031**, a critical authentication bypass vulnerability in the **SAML SSO - Service Provider** module affecting versions prior to `3.1.4`. The Canadian Centre for Cyber Security warned that organizations using the product should review Drupal’s guidance and apply the vendor update, as the flaw could allow unauthorized access through affected single sign-on deployments. Separately, Samba maintainers announced upcoming security releases for versions `4.22`, `4.23`, and `4.24` to address six vulnerabilities spanning file services, domain members, and Active Directory Domain Controller components. A follow-up correction said a **CVSS 10.0** file-services issue affects uncommon configurations rather than some configurations, and clarified that one Active Directory-related flaw impacts domain members rather than AD domain controllers; administrators were urged to deploy the Samba updates promptly after release.
Jun 29, 2026