Cyber Resilience

CVE-2025-0620

Medium

Published: 06 June 2025

Published
06 June 2025
Modified
08 January 2026
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0025 48.5th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0620 is a medium-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Samba Samba. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Network Shared Drive (T1039); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1039 Data from Network Shared Drive Collection
Adversaries may search network shares on computers they have compromised to find files of interest.
T1078.002 Domain Accounts Stealth
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability enables continued unauthorized access to SMB file shares using domain accounts even after group membership revocation during session re-authentication, facilitating T1078.002 (Valid Accounts: Domain Accounts) for persistence/lateral movement and T1039 (Data from Network Shared Drive) for collection.

Affected Assets

samba
samba
4.21.0 — 4.21.6 · 4.22.0 — 4.22.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-552

Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties.

addresses: CWE-552

Controlling and documenting P2P file sharing prevents files and directories from being made accessible to external parties for unauthorized distribution.

addresses: CWE-552

Identifying and documenting file and directory locations allows restriction of access to external parties.

addresses: CWE-552

Protecting backup files ensures they are not accessible to external parties or unauthorized spheres.

addresses: CWE-552

Sanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties.

addresses: CWE-552

Policy restricts media access to authorized parties only, preventing exposure of resources to external or unauthorized actors.

addresses: CWE-552

Media access restrictions prevent files or directories from being accessible to external parties.

addresses: CWE-552

Employing and evaluating controls at documented alternate sites makes files and directories less likely to be accessible to external parties through physical or environmental weaknesses.

References