Samba Hit with CVSS 10 Zero-Auth RCE — Patch Your File Servers Now

If your business runs a Linux file server, NAS appliance, or anything serving SMB/CIFS file shares, check your Samba version right now. CVE-2026-4480 — a maximum-severity (CVSS 10.0) remote code execution flaw in Samba's printing subsystem — requires zero credentials to exploit. Any attacker who can reach the server on the network can run arbitrary shell commands on it.

What the Flaw Is

The vulnerability lives in how Samba handles the %J substitution in its print command configuration. Samba substitutes the client-supplied print job description directly into a shell command without escaping shell metacharacters. An attacker sends a crafted print job with embedded shell syntax — semicolons, backticks, pipes — and the server executes whatever they embedded. The job description field was never designed to be trusted input, and for years it wasn't sanitized.

The brutal part: Samba permits guest printing by default. No username. No password. Network access alone is enough to trigger it.

Who's Exposed

• Any Linux or Unix server running Samba with a print command that includes %J
• NAS appliances (Synology, QNAP, TrueNAS, OpenMediaVault) that bundle Samba for file sharing
• Office servers doubling as print servers — a setup that's older and more common than people remember
• Hosting and VPS environments where Samba serves shared directories for legacy Windows clients

Systems configured with printing = cups or printing = iprint are not affected. Neither are servers whose print command doesn't include %J. But if your smb.conf was set up years ago and has never been audited, do not assume you're safe.

What to Do Right Now

• Patch first: Upgrade to Samba 4.22.10, 4.23.8, or 4.24.3. Red Hat, Ubuntu, SUSE, Rocky Linux, and Debian have all pushed packages — run your package manager update now and verify the installed version afterward.
• Immediate workaround (if patching has to wait): Open smb.conf and remove %J from the print command line entirely. Adding single quotes around it ('%J') reduces exploitability but removal is cleaner and definitive.
• Kill unauthenticated access: Add map to guest = Never to the [global] section if anonymous printing isn't a business requirement. This removes the pre-auth attack surface regardless of whether %J is present.
• Firewall port 445: SMB should never be reachable from the public internet. If it is, restrict it to specific trusted IPs immediately — before doing anything else.

The Bigger Picture

A CVSS 10.0 score doesn't come around often. When it does, it means the exploitation bar is low, the blast radius is wide, and ransomware groups have every incentive to automate it. A compromised Samba server isn't just lost files — it's a pivot point into every machine that mounts those shares or trusts that server. The lateral movement potential is the real threat here.

At Falcon Internet, managed servers running Samba are already patched; our 24x7x365 NOC monitoring tracks patch deployment across the fleet as advisories land, which is exactly why patch windows matter.