Samba command injection vulnerability via WINS server hook script (CVE-2025-10230)

Apr 03, 2026

Summary

Samba is prone to a command injection vulnerability via its WINS server hook script when configured as an Active Directory Domain Controller.

Vulnerability ID	Vulnerability Overview
CVE-2025-10230	The WINS server in Samba Active Directory Domain Controllers fails to validate names passed to the 'wins hook' program. By inserting unvalidated NetBIOS names containing shell metacharacters into a command string, an attacker can execute arbitrary commands on the host.

Affected Supported TeraStations

None
This vulnerability only affects environments operating as an AD domain controller. Samba within TeraStation does not operate in this mode; therefore, TeraStation products are not affected by this issue.

Back to Security Notices

Date	Description
04/03/2026	Initial release

Network Attached Storage

Portable Solid State Drive (SSD)

External Hard Drives

While Supplies Last

Optical Drives

Multi-Gigabit Switches

Accessories

View All

Latest Article

Buffalo Americas Product Life Cycle Status Change Notice - BS-MP2008 & BS-MP2012 Business Switches

Samba command injection vulnerability via WINS server hook script (CVE-2025-10230)