Critical Samba RCE Vulnerability Enables Arbitrary Code Execution
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Samba has disclosed a severe remote code execution (RCE) flaw that could allow attackers to hijack Active Directory domain controllers<\/a>.<\/p>\n Tracked as CVE-2025-10230, the vulnerability stems from improper validation in the Windows Internet Name Service (WINS) hook mechanism, earning a perfect CVSS 3.1 score of 10.0 for its ease of exploitation and devastating potential impact.<\/p>\n Samba, the open-source implementation of the SMB\/CIFS networking protocol widely used in Linux and Unix environments to mimic Windows file sharing and authentication, has long been a cornerstone for cross-platform enterprise networks. <\/p>\n However, this flaw exposes organizations relying on it as an Active Directory Domain<\/a> Controller (AD DC) to unauthenticated attacks.<\/p>\n Discovered by security researcher Igor Morgenstern of Aisle Research, the issue affects all Samba versions since 4.0 when specific configurations are enabled, namely, WINS support and a custom \u2018wins hook\u2019 script in the smb.conf file.<\/p>\n WINS, a deprecated Microsoft protocol from the pre-DNS era, resolves NetBIOS names in legacy Windows networks. <\/p>\n By default, WINS support is disabled in Samba, but when activated on an AD DC alongside the \u2018wins hook\u2019 parameter, which triggers an external script on name changes, the system becomes a sitting duck.<\/p>\n Attackers can send crafted WINS name registration requests containing shell metacharacters within the 15-character NetBIOS limit. <\/p>\n These inject arbitrary commands into the hook script, executed via a shell without any authentication<\/a> or user interaction required.<\/p>\n The vulnerability\u2019s scope is narrow but perilous: it only impacts Samba in AD DC mode (roles like \u2018domain controller\u2019 or \u2018active directory domain controller\u2019). <\/p>\n Standalone or member servers, which use a different WINS implementation, remain unaffected. In practice, this could let remote threat actors on the network pivot to full system compromise, exfiltrating sensitive data, deploying ransomware, or escalating privileges in hybrid Windows-Linux setups common in enterprises.<\/p>\n Samba maintainers acted swiftly<\/a>, releasing patches to their security portal and issuing updated versions: 4.23.2, 4.22.5, and 4.21.9.<\/p>\n Administrators should prioritize upgrades, especially in environments with legacy WINS dependencies. <\/p>\n As a workaround, disable the \u2018wins hook\u2019 parameter entirely or set \u2018wins support = no\u2019 in smb.conf Samba\u2019s default configuration already avoids this risky combo, making most setups safe out of the box.<\/p>\n Experts urge a broader review: WINS is obsolete, and its use on modern domain controllers is rare and inadvisable. Even post-patch, admins might disable hooks altogether, as future Samba releases could drop support. <\/p>\n With attack surfaces expanding in hybrid clouds, this incident underscores the need to audit and phase out antiquated protocols before they become entry points for nation-state actors or cybercriminals.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Critical Samba RCE Vulnerability Enables Arbitrary Code Execution<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nSamba RCE Vulnerability<\/strong><\/h2>\n
Mitigations<\/strong><\/h2>\n