CVE-2025-10230
CriticalCVSS 10.0Exploitation Probability (EPSS)
Very high risk98th percentile - higher than 98% of all known CVEs
Summary
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller's wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.
Risk Assessment
The organization is at risk of remote takeover of the Samba Domain Controller by an unauthenticated attacker, potentially leading to full compromise of the Active Directory domain and access to sensitive data.
Recommendation
Immediately update Samba to a version containing the fix for CVE-2025-10230 and verify whether the WINS hook is in use; if so, temporarily disable it until the update is applied.
Original NVD description (English source)
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.

