Contact Us
Blog

Samba CVSS 10.0 Vulnerability Analysis: Why Externally Accessible SMB Services are Dangerous

This article examines the technical causes and attack flow of CVE-2026-4480 and CVE-2026-4408, analyzes the points where internet-exposed Samba services can lead to actual attack surfaces.

06/08/2026

On May 26, 2026, the Samba Team released Samba 4.22.10, 4.23.8, and 4.24.3 security releases, fixing multiple vulnerabilities. Among them, CVE-2026-4480 and CVE-2026-4408 are both remote code execution vulnerabilities rated CVSS 10.0. Under specific configuration conditions, they carry the risk that an unauthenticated remote attacker can execute arbitrary commands on a Samba server.

Samba is open-source software that provides Windows file sharing, printer sharing, and domain controller functions on Linux and Unix-like systems. It is used in various environments such as internal corporate networks, NAS, file servers, backup servers, and legacy systems, and provides interoperability with Windows-based infrastructure through the SMB protocol.

This vulnerability is not simply a matter of updating Samba to the latest version. Samba is an infrastructure component directly connected to file sharing, authentication, and domain environments. In particular, when SMB port 445 is exposed to the internet, attackers can identify Samba-based services from outside and explore vulnerable configuration combinations. Therefore, the actual security risk varies greatly depending not only on the existence of the vulnerability, but also on whether the Samba service is externally accessible.

This article examines the technical causes and attack flow of CVE-2026-4480 and CVE-2026-4408, and analyzes the points where internet-exposed Samba services can lead to actual attack surfaces.

Samba Vulnerability Overview

AI-generated image summarizing the Samba vulnerability overview
ItemDetails
Affected ProductSamba
Major VulnerabilitiesCVE-2026-4480, CVE-2026-4408
Vulnerability TypeRemote Code Execution
CVSS Score10.0(Critical)
Affected VersionsAll Samba versions (affected under specific configuration conditions)
Patched Versions4.22.10, 4.23.8, 4.24.3
Major Attack ConditionsSpecific smb.conf settings, Samba printing subsystem, or DCE/RPC SAMR server configuration
Major RiskUnauthenticated remote command execution, server takeover, internal network spread

The vulnerabilities that require the most attention in this security update are CVE-2026-4480 and CVE-2026-4408. Both vulnerabilities occur in a structure where user-controllable input values are passed to system commands or scripts without escaping shell metacharacters.

However, not all Samba servers are vulnerable under the same conditions. The actual impact must be confirmed together with Samba configuration and external accessibility.

CVE-2026-4480: Command Injection Vulnerability in the Samba Printing Subsystem

CVE-2026-4480 is a remote code execution vulnerability that occurs in the Samba printing subsystem. This vulnerability can affect cases where a Samba print server uses the %J substitution character in the print command setting.

When processing print jobs, Samba passes a client-controllable job description string to the print command. At this time, if the %J substitution character is used and shell metacharacters included in the input value are not properly escaped, an attacker can attempt command injection through a manipulated print job description. As a result, on Samba servers with vulnerable configurations, this can lead to remote command execution.

The core of this vulnerability lies more in the print command configuration method than in the Samba version itself. In particular, when an externally accessible SMB service is combined with a vulnerable printing configuration, a Samba server operated for file sharing or printer sharing can be converted into an entry point for remote code execution attacks.

However, environments that use printing = cups or printing = iprint, or environments where the print command setting does not include the %J substitution character, are not directly affected by this vulnerability. Still, in operating environments, old Samba settings may remain unchanged, or command-based settings added in the past for printer integration may still exist. For this reason, the actual impact is difficult to determine only by checking the version, and an smb.conf configuration review is required.

CVE-2026-4408: Password Verification Script Vulnerability in the DCE/RPC SAMR Server

CVE-2026-4408 is a remote code execution vulnerability that occurs in the Samba DCE/RPC SAMR server. This vulnerability can occur in Samba file server or classic non-AD domain controller environments when samba-dcerpcd is running as a system service and the %u substitution character is used in the check password script setting.

When Samba processes password change or reset requests, it can pass a username provided by the client to the check password script. At this time, if the %u substitution character is used and shell metacharacters in the user input value are not sufficiently handled, an attacker can attempt remote command execution through a manipulated username.

This vulnerability becomes more dangerous in specific non-standard configurations than in general default configurations. For example, environments where rpc start on demand helpers is set to no, rather than the default value, and where samba-dcerpcd operates as a system service are the main affected targets. In addition, Active Directory Domain Controllers are excluded from direct impact because they do not expand the %u substitution in this way.

However, in corporate environments, Samba is sometimes used beyond a simple file server for legacy authentication, password policies, domain integration, and backup server access control. If vulnerable script settings remain in these environments, an attacker can abuse the password verification flow to pass manipulated input values and attempt to obtain server privileges through them.

Attack Flow: From Externally Exposed SMB Services to Internal Spread

AI-generated image showing the Samba attack flow

The actual risk of this Samba vulnerability increases when “vulnerable configuration” and “external accessibility” are combined. Samba is often used inside internal networks by nature, but there are cases where SMB port 445 is exposed to the internet due to incorrect firewall policies, NAS remote access settings, cloud server configuration errors, or file sharing environments publicly exposed without a VPN.

The expected attack flow is as follows.

  1. Scanning SMB port 445 exposed to the internet
  2. Identifying Samba assets based on Samba response banners, SMB protocol characteristics, and service fingerprints
  3. Prioritizing attack targets based on Samba version or the possibility of specific configurations
  4. Checking the possibility of exploiting the printing subsystem and print command settings related to CVE-2026-4480
  5. Checking the possibility of exploiting the DCE/RPC SAMR service and password verification script settings related to CVE-2026-4408
  6. Obtaining server privileges when remote command execution succeeds
  7. Accessing internal files, account information, shared directories, and backup data
  8. Expanding to internal network movement, credential theft, ransomware deployment, and data exfiltration

In this way, an externally exposed Samba service can become a high-risk attack surface when combined with vulnerable configurations, beyond simply being an open port.

Samba mainly provides SMB/CIFS-based file sharing services, and the representative port for SMB is TCP 445. Therefore, to identify Samba-based SMB services exposed to the internet, the following query can be used in Criminal IP Asset Search.

Search results for product: “Samba” port: 445 exposed assets in Criminal IP Asset Search

Criminal IP Search Queryproduct: “Samba” port: 445

As a result of searching for Samba assets exposed on port 445 in Criminal IP Asset Search, 63,055 exposed assets were identified as of June 2026. This figure shows that Samba-based SMB services are still exposed to the internet on a large scale. SMB port 445 is a core port used for Windows file sharing and Samba-based file sharing, and it is generally a service that rarely needs to be directly exposed to the external internet.

However, this vulnerability targets Samba software, not the entire Windows SMB service. The actual impact depends more on the installed Samba version and configuration conditions than on the operating system itself. In particular, for CVE-2026-4480, whether the %J substitution character is used in the print command setting is a key judgment criterion.
Nevertheless, the fact that more than 60,000 Samba assets are identifiable from the outside means that whenever a Samba vulnerability is disclosed, attackers can select potentially vulnerable targets through scan-based methods.

In addition, the country distribution also shows a concentration of Samba exposed assets. Based on Criminal IP search results, the top countries were Pakistan with 32,466 cases, the United States with 4,446 cases, Portugal with 3,472 cases, Germany with 2,770 cases, and Réunion with 2,156 cases. This concentration of exposed assets in specific countries shows that Samba-based file sharing services are still operated in an externally accessible form in some network environments.

SMB version, NetBIOS, and shared information identified from externally exposed Samba assets

Looking closely at some of the exposed instances, it is possible to confirm not only the fact that port 445 is open, but also Samba version, SMB protocol information, NetBIOS computer name, domain name, and shared information. For example, some assets expose old Samba responses such as Samba 4.3.11-Ubuntu, SMBv1 support status, and IPC$ and print$ share information. This information does not mean that the asset is immediately affected by the vulnerability, but from an attacker’s perspective, it can become a clue for estimating the operating environment of an externally exposed Samba server, legacy protocol usage, the possibility of printer sharing-related configuration, and internal domain information. Such response information can be used as a reference indicator to understand how Samba-based file sharing services are identified externally.

Risks of Externally Exposed Samba Assets

Samba is often closely connected to internal file sharing, authentication flows, and domain environments. For this reason, if an externally exposed Samba server is compromised, access can expand to shared folders, user accounts, internal hostnames, backup files, and configuration files.

The key points that require attention in externally exposed Samba assets are as follows.

  • SMB port 445 is a familiar scan target for attackers. In past large-scale malware and ransomware attacks, SMB services have also been repeatedly abused as initial intrusion or internal spread paths. Therefore, in environments where SMB port 445 is exposed to the internet, large-scale scanning and target selection may take place quickly after vulnerability disclosure.
  • Samba often remains in long-running legacy systems. NAS, printer servers, backup servers, and internal file servers are difficult to replace immediately for reasons of business continuity, and security patch application may be delayed due to concerns over operational disruption. Such long-maintained file sharing infrastructure becomes a repeated inspection target whenever a new vulnerability is disclosed.
  • This vulnerability is difficult to determine in terms of impact only by checking the version. CVE-2026-4480 and CVE-2026-4408 are both configuration-based vulnerabilities where the risk increases under specific configuration conditions. To confirm the actual impact, it is necessary to check not only the Samba version, but also smb.conf settings, printing subsystem configuration, DCE/RPC execution method, and whether a password verification script is used.

The risk of externally exposed Samba assets becomes greater not because of “Samba usage” itself, but when external accessibility, old operating environments, and vulnerable configuration combinations exist together. Therefore, organizations should first identify Samba services that are visible from the internet, and review both patch status and actual configurations together.

Response and Inspection Measures

Samba operators should first update to the official security releases Samba 4.22.10, 4.23.8, 4.24.3, or later versions. In environments where immediate patching is difficult, vulnerable settings should be removed, or mitigation measures that restrict external access should be applied first.

In operating environments, the following items need to be checked first.

  • Check whether the Samba version is 4.22.10, 4.23.8, 4.24.3, or later
  • Check whether SMB port 445 is directly exposed to the internet
  • Check whether external access is allowed in firewall, security group, and port forwarding settings
  • Check whether the print command setting includes the %J substitution character
  • Check whether the check password script setting includes the %u substitution character
  • Review guest access permission and shared directory permissions
  • Check whether printer sharing functions and print$ shares are used
  • Check DCE/RPC-related settings and the execution method of samba-dcerpcd
  • Check Samba usage and patch status on NAS, backup servers, and legacy file servers

Even if an organization recognizes Samba servers as internal-network-only assets, they may actually be accessible from the outside due to cloud security groups, port forwarding, temporary test servers, or NAS remote access settings.

FAQ

Q1. Are all Samba servers vulnerable to CVE-2026-4480 and CVE-2026-4408?

No. The exploitability of both vulnerabilities increases under specific configuration conditions. For CVE-2026-4480, the main condition is a print server configuration where the print command includes the %J substitution character. For CVE-2026-4408, the main affected targets are environments where the check password script includes the %u substitution character and samba-dcerpcd runs in a specific way. Therefore, not only the Samba version but also the actual smb.conf settings must be checked together.

Q2. Are all assets vulnerable if SMB port 445 is open?

The fact that SMB port 445 is open does not mean that the asset is immediately vulnerable. However, SMB is generally a service that has little need to be directly exposed to the internet. If it is accessible from outside, attackers can additionally check Samba version, service banners, shared information, authentication settings, and whether printer sharing is enabled. Therefore, it is advisable to include such assets in priority inspection targets.

Q3. Is patching alone enough?

Patching is essential, but patching alone may not be enough. This vulnerability is closely related to specific configuration conditions, so print command, check password script, DCE/RPC execution method, and printer sharing configuration must also be checked together. In addition, if SMB port 445 is exposed to the internet, external access should be blocked, or access control should be strengthened through VPN, IP allowlists, and firewall policies.

Conclusion

CVE-2026-4480 and CVE-2026-4408 are high-risk vulnerabilities that can lead to remote command execution under specific Samba configuration conditions. Both vulnerabilities were rated CVSS 10.0, but actual exploitability is difficult to determine by version information alone. Actual operating settings such as print command, check password script, DCE/RPC execution method, and printer sharing configuration must also be checked together.

The part that requires particular attention in this issue is whether the Samba service is externally exposed. Samba is often connected to internal file sharing, authentication flows, backup servers, NAS, and legacy systems. Therefore, if SMB port 445 is exposed to the internet, attackers can select attack targets based on service banners, SMB protocol responses, and shared information.

Response to Samba vulnerabilities does not end with applying security releases. While updating to patched versions, organizations must also check externally exposed SMB port 445, actual smb.conf settings, printer sharing and DCE/RPC configurations, and shared directory permissions. Unnecessarily exposed Samba services should be blocked, and if external access is required, the access scope should be restricted through VPN, IP allowlists, and firewall policies.

In relation to this, you can refer to SonicWall SSL-VPN MFA Bypass Vulnerability: The Attack Surface Between “Patched” and “Protected”

You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IP’s threat intelligence (TI) analysis of externally exposed assets at the enterprise level.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.

Source: Criminal IP(https://www.criminalip.io/), Daily CyberSecurity(https://securityonline.info/critical-samba-vulnerabilities-cvss-10)

Related Article: https://www.criminalip.io/knowledge-hub/blog/34923