Introduction
Remote code execution on a domain controller can mean total compromise of an organization's identity infrastructure. CVE-2025-10230 is a critical command injection flaw in Samba's WINS server functionality that, under certain configurations, allows unauthenticated attackers to execute arbitrary commands as the Samba process. This post distills the technical details, affected versions, patch guidance, and detection methods for security teams.
About Samba: Samba is the most widely used open source implementation of the SMB protocol, enabling Linux and Unix systems to interoperate with Windows networks for file sharing, authentication, and Active Directory services. It is included in all major Linux distributions and powers hybrid environments in enterprises, education, and government.
Technical Information
CVE-2025-10230 is a command injection vulnerability in Samba's WINS server implementation, specifically when acting as an Active Directory Domain Controller with both WINS support and a 'wins hook' parameter configured.
- Vulnerability Mechanism: When a WINS registration packet is received, the NetBIOS name from the packet is inserted directly into a shell command that is executed by the Samba process. No validation or escaping is performed on the NetBIOS name, which can be up to 15 characters and may include shell metacharacters.
- Attack Vector: An attacker sends a specially crafted WINS registration packet to UDP port 137 containing a NetBIOS name with shell metacharacters (such as
;,|,&, or backticks). The injected shell code is executed with the privileges of the Samba process, often root. - Root Cause: Lack of input sanitization for the NetBIOS name field before passing it to a shell command (CWE-78: OS Command Injection).
- Affected Configuration: Only Samba servers acting as Active Directory Domain Controllers with 'wins support = yes' and a non-empty 'wins hook' parameter in
smb.confare vulnerable. The default configuration is not affected.
Patch Information
To address CVE-2025-10230, the Samba team has released patches in versions 4.23.2, 4.22.5, and 4.21.9. The fix ensures NetBIOS names are validated and sanitized before being passed to any shell command via the 'wins hook' mechanism. Administrators should upgrade to one of these versions or apply the official patch from the Samba team.
Detection Methods
Detection of CVE-2025-10230 exploitation involves:
Network Traffic Analysis:
- Monitor UDP port 137 for unusual or unauthorized WINS registration requests, especially from unfamiliar sources.
System Log Monitoring:
- Audit Samba logs for unexpected or unauthorized executions of the 'wins hook' script.
Configuration Audits:
- Review
smb.conffor the presence of the 'wins hook' parameter on domain controllers. If set, the system is at risk.
Indicators of Compromise:
- Look for unauthorized shell commands executed by the Samba process, and unexpected network connections initiated by the server.
Monitoring Guidance:
- Use IDS solutions to detect anomalies in network traffic and system behavior related to Samba.
- Regularly review system and Samba logs.
- Ensure unnecessary features like WINS support and 'wins hook' scripts are disabled unless required.
Reference: Samba Security Advisory
Affected Systems and Versions
- Products: Samba (when configured as Active Directory Domain Controller with WINS support and a wins hook parameter)
- Affected Versions:
- All versions from 4.0 up to and including 4.21.8
- 4.22.0 through 4.22.4
- 4.23.0 and 4.23.1
- Vulnerable Configuration:
- 'server role = domain controller' (or equivalent)
- 'wins support = yes'
- Non-empty 'wins hook' parameter in
smb.conf
Vendor Security History
Samba has previously addressed critical vulnerabilities such as:
- CVE-2021-44142 (vfs_fruit module remote code execution)
- CVE-2024-3592 (file server flaw)
The Samba team maintains a mature security advisory process and coordinates closely with major Linux distributions for timely patch delivery. The persistence of this issue across many versions highlights the risks of legacy protocol support.
