The Samba Team has released an urgent advisory addressing two , including a critical command injection (CVE-2025-10230) that could allow unauthenticated remote code execution (RCE) on Samba Active Directory Domain Controllers (AD DCs).
The carries a CVSS score of 10.0, the maximum possible, and affects systems where the WINS server feature is enabled with a “wins hook” parameter configured.
“If the ‘wins hook’ parameter is set on a domain controller with the WINS server enabled, unauthenticated remote code execution is possible,” the Samba Team warned.
CVE-2025-10230: Command Injection via WINS Server Hook
The issue arises from insufficient input validation in the WINS server implementation of Samba AD DCs. When a WINS name is registered or changed, Samba executes the program defined in the “wins hook” parameter — but failed to sanitize input data passed to the system shell.
“The WINS server used by the Samba Active Directory Domain Controller did not validate the names passed to the wins hook program, and it passed them by inserting them into a string run by a shell,” the advisory explains.
This flaw means that a malicious client could send a specially crafted NetBIOS name, including shell metacharacters (such as ; or |), leading to arbitrary command execution on the affected domain controller.
Because the attack requires no authentication, it poses an especially high risk to enterprise networks using outdated or legacy configurations.
“WINS is an obsolete and trusting protocol… clients can request any name that fits within the 15-character NetBIOS limit. This includes some shell metacharacters, making it possible to run arbitrary commands on the host,” the Samba Team added.
The only affects domain controllers with WINS support enabled and a non-empty ‘wins hook’ parameter. Other Samba servers, such as member servers or standalone hosts, are not impacted.
“The WINS server used by Samba when it is not a domain controller is unaffected,” the advisory clarifies.
As an immediate mitigation, administrators should avoid setting the “wins hook” parameter in their smb.conf file on domain controllers.
“Avoid setting the ‘wins hook’ parameter in the smb.conf of a Samba AD Domain Controller,” Samba recommended.
Alternatively, disabling WINS entirely (wins support = no) also removes exposure.
“The default value for ‘wins support’ is ‘no’, so it is safe… the combination is safe regardless of ‘wins hook’,” the advisory noted.
The Samba Team also warned that the “wins hook” functionality is largely deprecated and may be removed in future releases.
“The ‘wins hook’ parameter is unlikely to be useful on a domain controller… it may not be supported in future Samba releases,” the developers stated.
CVE-2025-9640: Memory Disclosure in vfs_streams_xattr
In addition to the RCE bug, Samba patched a second flaw, CVE-2025-9640, rated CVSS 4.3 (Medium), involving an uninitialized memory disclosure in the vfs_streams_xattr module.
“Uninitialised memory can be written into alternate data streams, possibly leaking sensitive data,” the advisory explained.
This bug could allow authenticated users to read discarded heap memory samples by issuing write requests that create holes in files, potentially exposing data fragments from previous operations.
“An authenticated user can read an unlimited number of samples of discarded heap memory… due to a failure to initialise memory in streams_xattr_pwrite() in the vfs_streams_xattr file server module,” Samba said.
While Samba’s memory management practices mitigate the impact — as the system erases known secrets before freeing memory — sensitive data could still be exposed.
“Samba erases known secrets before freeing the associated memory, which somewhat mitigates the data leak,” the team noted.
Systems that do not use vfs_streams_xattr are unaffected, and the issue can be temporarily mitigated by removing the module from the configuration:
“Removing ‘streams_xattr’ from the ‘vfs objects’ list will avoid the but will affect functionality,” Samba advised.
The Samba Team has released patched versions 4.23.2, 4.22.5, and 4.21.9, addressing both . Administrators are strongly urged to update immediately or apply the patch manually.
- Samba releases the security update to address two flaws
- DarkGate Malware Makes a Comeback, Exploiting Excel and Samba Shares in Sophisticated Cyberattacks
- Samba Security Alert: Stale Group Data Poses Risk in Kerberos SMB Sessions, No Patch!
- Critical Samba admin password reset flaw
- Samba Issues Security Updates to Patch Three Vulnerabilities
