Samba Command Injection Flaws Expose Internet-Facing Servers to Remote Takeover
Multiple critical Samba flaws have highlighted how non-default but dangerous configurations can turn exposed file-sharing infrastructure into a remote code execution path. CVE-2025-10230 affects Samba's WINS server on Active Directory Domain Controllers when WINS support is enabled and a non-empty wins hook is configured, allowing an unauthenticated attacker to send a crafted WINS registration packet to UDP port 137 and inject shell metacharacters into a command executed by Samba, potentially with root privileges. Separately, CVE-2026-4480 and CVE-2026-4408, both rated CVSS 10.0, affect Samba's printing subsystem and DCE/RPC SAMR server when administrators use vulnerable print command or check password script settings with %J or %u substitution characters.
Samba issued fixes for the WINS flaw in versions 4.23.2, 4.22.5, and 4.21.9, and for the later command-injection issues in 4.22.10, 4.23.8, and 4.24.3. Reporting on internet exposure said more than 63,000 Samba assets were reachable on TCP 445, underscoring the risk that misconfigured public SMB services could be used for server takeover, credential theft, ransomware deployment, and lateral movement. Defenders were urged to patch affected releases, audit smb.conf for risky wins hook, print command, and password-check script settings, monitor UDP 137 and SMB activity for suspicious behavior, and restrict external access with firewalls, VPNs, or IP allowlists.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
OSINT Team reports 63,055 internet-exposed Samba assets
As of June 2026, the article states that Criminal IP Asset Search identified 63,055 Samba assets exposed on TCP port 445. It highlights the largest concentrations in Pakistan, the United States, Portugal, Germany, and Réunion.
Samba patches CVE-2026-4480 and CVE-2026-4408
On May 26, 2026, the Samba Team patched two CVSS 10.0 vulnerabilities, CVE-2026-4480 and CVE-2026-4408, in versions 4.22.10, 4.23.8, and 4.24.3. The issues affect specific non-default print command and password-check script configurations.
Samba releases fixes for CVE-2025-10230
Samba released fixes for the WINS server command injection vulnerability CVE-2025-10230 in versions 4.23.2, 4.22.5, and 4.21.9. The flaw can allow unauthenticated remote code execution on affected non-default Samba AD DC configurations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Samba on Port 445: How Public SMB Exposure Becomes a Critical Attack Surface | by Criminal IP | Jun, 2026 | OSINT Team
osintteam.blog
Open sourceSamba WINS Server Command Injection (CVE-2025-10230): Brief Summary and Patch Guidance - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Samba WINS Command Injection Vulnerability Allowing Unauthenticated RCE on Domain Controllers
Samba has released a security update to address a critical remote command execution (RCE) vulnerability, tracked as CVE-2025-10230, which affects its Windows Internet Name Service (WINS) implementation when used as an Active Directory (AD) domain controller. The flaw arises because Samba does not strictly validate the wins hook script command when processing registration messages, allowing unauthenticated attackers to craft special hostnames that inject arbitrary commands into the target server. This vulnerability is rated with a maximum CVSS score of 10.0, indicating its severity and the potential for complete system compromise. The issue impacts multiple versions of Samba, specifically versions up to 4.23.1, 4.22.4, and 4.21.8, but only when Samba is configured as a domain controller with WINS support enabled and the wins hook parameter set. Systems running unaffected versions, such as Samba 4.23.2, 4.22.5, and 4.21.9 or later, are not vulnerable. The vulnerability allows attackers to execute commands with the privileges of the Samba process, which could lead to full control over the affected domain controller. Exploitation does not require authentication, significantly increasing the risk to exposed systems. Samba has released patched versions to address the flaw, and administrators are strongly urged to upgrade to the latest secure releases as soon as possible. As a temporary mitigation, organizations can disable the wins hook parameter and ensure that WINS support is not enabled unless absolutely necessary. The vulnerability is not enabled by default, but environments that have manually enabled WINS support and the wins hook parameter are at immediate risk. Security advisories recommend that users review their Samba configurations and apply the official patches or mitigations without delay. The flaw was publicly disclosed in mid-October 2025, and security researchers have highlighted the ease of exploitation and the critical nature of the risk. Organizations running Samba as an AD domain controller should prioritize remediation efforts to prevent potential compromise. The vulnerability underscores the importance of strict input validation and secure configuration practices in critical infrastructure components. The official Samba project has provided detailed guidance and download links for the patched versions. Failure to address this vulnerability could result in significant operational and security impacts, including domain-wide compromise and lateral movement by attackers. Security teams are advised to monitor for signs of exploitation and to audit their Samba deployments for vulnerable configurations.
Jun 29, 2026Samba fixes unauthenticated and low-privilege RCE flaws in SAMR and printing
Samba released security updates `4.24.3`, `4.23.8`, and `4.22.10` to fix six vulnerabilities affecting SMB, Active Directory, printing, and DCE/RPC components. The most serious issues are **CVE-2026-4408** and **CVE-2026-4480**, command-injection flaws that can lead to remote code execution in specific configurations. **CVE-2026-4408** affects the SAMR DCE/RPC service when `samba-dcerpcd` is used with the `check password script` option and unsafe `%u` expansion, while **CVE-2026-4480** affects the printing subsystem because Samba passed a client-controlled job description through the `%J` substitution in `print command` without properly escaping shell metacharacters.
Jun 29, 2026
Critical Drupal SAML SSO auth bypass and high-severity Samba flaws disclosed
Drupal disclosed **SA-CONTRIB-2026-031**, a critical authentication bypass vulnerability in the **SAML SSO - Service Provider** module affecting versions prior to `3.1.4`. The Canadian Centre for Cyber Security warned that organizations using the product should review Drupal’s guidance and apply the vendor update, as the flaw could allow unauthorized access through affected single sign-on deployments. Separately, Samba maintainers announced upcoming security releases for versions `4.22`, `4.23`, and `4.24` to address six vulnerabilities spanning file services, domain members, and Active Directory Domain Controller components. A follow-up correction said a **CVSS 10.0** file-services issue affects uncommon configurations rather than some configurations, and clarified that one Active Directory-related flaw impacts domain members rather than AD domain controllers; administrators were urged to deploy the Samba updates promptly after release.
Jun 29, 2026