CVE-2025-10230
Published: 07 November 2025
Summary
CVE-2025-10230 is a critical-severity OS Command Injection (CWE-78) vulnerability in Vicarius (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of Samba and Red Hat patches directly remediates the command injection flaw in WINS hook handling.
Validating and sanitizing NetBIOS names from WINS registration packets before insertion into shell commands prevents remote command injection.
Disabling unnecessary WINS hook functionality in Samba Active Directory Domain Controller minimizes the attack surface exposed to unauthenticated network attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection via crafted WINS packets enables exploitation of public-facing/remote services (T1190, T1210) leading to Unix shell execution (T1059.004).
NVD Description
A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell…
more
command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.
Deeper analysisAI
CVE-2025-10230, published on 2025-11-07, is a critical command injection vulnerability (CWE-78) in Samba's front-end WINS hook handling within the Samba Active Directory Domain Controller. NetBIOS names from WINS registration packets are passed to a shell without proper validation or escaping, allowing unsanitized data to be inserted into executed shell commands. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
An unauthenticated network attacker can exploit this flaw by sending malicious WINS registration packets containing crafted NetBIOS names. Successful exploitation enables remote command execution with the privileges of the Samba process, potentially leading to full compromise of the affected domain controller.
Advisories provide guidance on mitigation, including patches from Samba and Red Hat. Refer to the Red Hat security bulletin at https://access.redhat.com/security/cve/CVE-2025-10230, the Samba security history at https://www.samba.org/samba/history/security.html, the Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2394377, and Vicarius resources for detection at https://www.vicarius.io/vsociety/posts/cve-2025-10230-detect-samba-vulnerability and mitigation at https://www.vicarius.io/vsociety/posts/cve-2025-10230-mitigate-samba-vulnerability.
Details
- CWE(s)