In the context of strong digital transformation businesses, many legacy technology systems such as Samba (a file-sharing tool common on Linux/Unix) are still quietly operating within the intranets of thousands of organizations worldwide. However, these seemingly “benign” tools can become the gate to dangerous exploitation if not updated regularly.
The Samba Team issued security warnings, announcing two security vulnerabilities. Of these, most notably the first vulnerability, CVE – 2025-10230, which has been rated at maximum risk (CVSS 10), allows for remote code execution without authentication on certain configured Active Directory Domain Controller servers, such asThis affects many business systems that use old or outdated configurations.
The vulnerability only affects Samba Active Directory Domain Controller (ADDC) systems, i.e., those servers that act as domain, authentication managers in enterprise networks, when the WINS server feature is enabled and the “wins hook” parameter configuration is in the smb.conf file.
This means that not all Samba-based systems are affected, with organisations still using legacy domain name infrastructure or WINS integration the risk is very high.
The CVE-2025-10230 vulnerability stems from Samba’s failure to fully check input when performing NetBIOS name processing via the WINS server. Specifically, when a client registers a NetBIOS name or updates the NetBiOS username, Samba invoking the execution of a program specified by the “wins hook”.
However, the input data (NetBIOS name) was not checked or special characters cleaned out leading to the case where an attacker could insert malicious code into a shell command string, such as: “;” or “|” to force Samba to run the system command at will.
The scary thing is that this attack does not require a login, meaning that anyone on the network can exploit it if they can access the WINS server.
This is one of the most serious attacks in modern cybersecurity. If successful, the attacker may:
- Install malware or spyware
- Open a backdoor
- Gain control of server
- Move horizontally to other internal systems
Given the nature of the Active Directory Domain Controller (the heart of an enterprise authentication system), the control of AD is synonymous with controlling both the internal network system from the user account to the workstation and other servers.
Second flaw: Memory data leak in xattr vfs_streams module (CVE-2025-9640)
In addition to the RCE bug, Samba reported another mid-range vulnerability code CVE-2025-9640, involving a vfs_streams_xattr module that allows reading and writing “Alternate Data Streams” on files.
In some cases, uninitiated memory can be written to a file, resulting in a logged – in user being able to read the data left in the memory, potentially including sensitive information.
Although Samba had a sensitive data deletion mechanism prior to the release of memory, not all the memory was cleared, resulting in a moderate risk of data leakage.
Cybersecurity experts’ recommendations and solutions
For CVE – 2025-10230 (serious RCE):
- Unconfigured “wins hook” in smb.conf file on Domain Controller
- Disable WINS (wins support = no) if not used
- Immediately update Samba to the released patches:
- Samba 4.23.2
- Samba 4.22.5
- Samba 4.21.9
For CVE – 2025-9640 (Memory Data Leakage):
- If you do not need to use the extended data line write feature, remove xattr module streams from the vfs objects entry in configuration
- Priority update to patched Samba version
Warning summary to remember:
CVE – 2025-10230 – RCE via wins hook (KEY):
- Level: CVSS 10.0
- Affect: Samba AD DC has wins support + wins hook
- Action:
- Remove wins hook
- Disable wins support if not needed
- Update Samba immediately
CVE – 2025-9640 – Memory Lane (COMMUNICATION):
- Affect: System uses vfs_streams_xattr
- Action:
- Remove module if not needed
- Samba Update
This incident once again warns organizations that the old, yet often unchecked, updating infrastructure is a deadly weakness. A forgotten configuration such as wins hook can become a gateway to remote attack even if the system has been running stably for years.
The highest risk lies in businesses that still maintain internal infrastructure solutions using Samba as AD, especially when old configurations are available or not routinely audited. Go through your Samba system configuration, perform updates, and don’t forget to be safe starting with not belittling warnings. If you are a system administrator, developer, or IT executive in your business, share this article with your colleagues so that both organizations raise their vigilance and take timely protective measures.
