CVE-2025-10230

CRITICAL

Samba Active Directory WINS Hook - Remote Command Execution

Title source: manual

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-10230. PoCs published by dptsec, adminlove520, nehkark.

AI-analyzed exploit summary This repository contains a functional Python PoC for CVE-2025-10230, a command injection vulnerability in Samba's WINS hook feature. The exploit crafts a malicious NetBIOS name registration packet to trigger command execution via the 'wins hook' configuration.

Description

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.

Exploits (4)

github WORKING POC 6 stars

by dptsec · pythonpoc

https://github.com/dptsec/CVE-2025-10230

View Code ZIP pw:eip

This repository contains a functional Python PoC for CVE-2025-10230, a command injection vulnerability in Samba's WINS hook feature. The exploit crafts a malicious NetBIOS name registration packet to trigger command execution via the 'wins hook' configuration.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Samba < 4.23.2, 4.22.5, and 4.21.9 with WINS support enabled

No auth needed

Prerequisites: WINS support enabled in Samba · A 'wins hook' specified in configuration

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-10230

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2025-10230, a command injection vulnerability in Samba's WINS hook mechanism. The exploit sends a crafted NetBIOS registration packet to trigger arbitrary command execution on vulnerable Samba servers with specific configurations.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Samba (versions 4.22.0 and earlier with WINS support and wins hook enabled)

No auth needed

Prerequisites: Samba with 'wins support = yes' and a non-empty 'wins hook' parameter · Network access to UDP port 137

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by nehkark · poc

https://github.com/nehkark/CVE-2025-10230

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2025-10230, a command injection vulnerability in Samba's WINS hook mechanism. The exploit crafts malformed NetBIOS registration packets to trigger arbitrary command execution on vulnerable Samba servers.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Samba (versions with WINS support and wins hook configured)

No auth needed

Prerequisites: Samba with 'wins support = yes' and a 'wins hook' parameter configured · Network access to UDP port 137 on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by marcostolosa · poc

https://github.com/marcostolosa/CVE-2025-10230

View Code ZIP pw:eip

This repository provides an educational writeup and interactive visualization for CVE-2025-10230, a critical RCE vulnerability in Samba's WINS name registration handling. It does not contain exploit code but describes the attack vector and setup for a React-based infographic.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Samba (with WINS support enabled)

No auth needed

Prerequisites: Samba configured as a Domain Controller with `wins support = yes` and a `wins hook` script defined

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources

https://www.samba.org/samba/history/security.html

Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-10230-detect-samba-vulnerability

Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-10230-mitigate-samba-vulnerability

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2025-10230

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2394377

Scores

CVSS v3 10.0

EPSS 0.3899

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (6)

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

Red Hat/Red Hat OpenShift Container Platform 4

Published Nov 07, 2025

Tracked Since Feb 18, 2026