External risk intelligence

Samba WINS Hook Command Injection Leading to Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2025-10230

The vulnerability affects Samba WINS (Windows Internet Name Service) hook handling. WINS is a legacy NetBIOS name resolution service typically deployed within internal, private corporate networks to support legacy Windows clients. While reachable over a network, it is rarely exposed directly to the public internet in standard deployment configurations.

OS Command Injection

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical security vulnerability has been identified in Samba, a software that provides file and print services to Windows clients, particularly affecting its handling of NetBIOS names. This flaw allows an unauthenticated attacker on the network to execute commands remotely on the affected Samba process. The main concern is to confirm if your environment uses this specific Samba functionality and is exposed.

  • Flaw lets attackers run commands remotely.
  • Important if Samba's name service is in use.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could send specially crafted registration packets to a Samba Active Directory Domain Controller. These packets contain NetBIOS names that are not properly validated before being used in a shell command. This flaw allows an attacker on the network to execute commands remotely with the privileges of the Samba process.

  • Attacker needs network access.
  • Malicious NetBIOS names in WINS packets.
  • Remote command execution as Samba process.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could execute arbitrary commands on a Samba Active Directory Domain Controller when the WINS hook handling is enabled and processed with unsanitized NetBIOS names. This could impact the integrity and availability of the domain controller and any services it manages.

  • Domain controller command execution.
  • Unsanitized WINS registration packets.
  • Compromise of domain services.

Operational Fix

Recommended remediation, mitigation, and detection steps

In most environments, the platform or infrastructure team managing the Samba Active Directory Domain Controller is responsible for addressing this vulnerability. The first practical step involves identifying all Samba instances running the WINS hook, confirming their network exposure and business criticality, and then assigning ownership for remediation to the appropriate system owner.

  • Identify Samba WINS instances and owners.
  • Verify network reachability and business criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Samba and how does it function in a network?

Samba is an open-source software suite that enables file and printer sharing services for Windows clients. It allows Linux and Unix systems to operate within Windows environments by providing services like Active Directory domain control. The vulnerability involves the WINS (Windows Internet Name Service) hook, a component used by Samba to resolve older NetBIOS computer names to network addresses.

How does CVE-2025-10230 allow command execution?

This vulnerability is classified as CWE-78, or OS Command Injection. It occurs because the Samba software fails to validate or sanitize NetBIOS names received in registration packets. When these names are passed directly to a system shell, an attacker can insert malicious commands that the server executes, effectively running unauthorized code with the privileges of the Samba process.

Do I need to be authenticated for an attacker to trigger this?

No, authentication is not required. An attacker only needs network access to the Samba instance to send the specially crafted WINS registration packets. The vulnerability is specifically triggered by the processing of these malicious packets through the WINS hook; it will not be triggered if the WINS hook functionality is disabled or if the system is not actively processing these specific name registration requests.

Is my system at risk if it is not internet-facing?

According to Halo Surface Signal, this vulnerability is classified as external because it uses network-based vectors, but it is unlikely to be exposed publicly. WINS is a legacy service typically confined to internal, private corporate networks to support older clients. While not usually on the open internet, any internal device with network visibility to the domain controller could potentially reach the vulnerable component.

How do I start addressing CVE-2025-10230?

Begin by auditing your infrastructure to locate all Samba Active Directory Domain Controllers currently running the WINS hook. Once identified, evaluate the necessity of this legacy feature in your environment. Prioritize mapping these instances to their respective system owners to coordinate a review of network access controls and plan for necessary software updates or configuration changes.

References