CVE-2025-10230 CRITICAL

CVE-2025-10230: Samba: command injection in wins server hook script

Vendor Red Hat

Product Red Hat Enterprise Linux 10

Weakness CWE-78

Published November 7, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller’s wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process.

Key dates

02Disclosure timeline

November 7, 2025 CVE published

February 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-10230 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2025-10230

CWE CWE-78

CVSS 10.0 / CRITICAL

Affected versions

Vendor Red Hat

Product Red Hat Enterprise Linux 10

Affected All versions

Vendor Red Hat

Product Red Hat Enterprise Linux 6

Affected All versions

Vendor Red Hat

Product Red Hat Enterprise Linux 6

Affected All versions

Vendor Red Hat

Product Red Hat Enterprise Linux 7

Affected All versions

Vendor Red Hat

Product Red Hat Enterprise Linux 8

Affected All versions

Vendor Red Hat

Product Red Hat Enterprise Linux 9

Affected All versions

Vendor Red Hat

Product Red Hat OpenShift Container Platform 4

Affected All versions

CVE-2025-10230: Samba: command injection in wins server hook script

01Description

02Disclosure timeline

03References

04Related CVE