CVE-2025-0620: Samba: smbd doesn't pick up group membership changes when re-authenticating an expired smb session
A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again.
Samba may continue allowing a previously authorized user to access file shares after their group membership changes, until the SMB client fully disconnects and reconnects. This is mainly an access-revocation gap, not a remote code execution issue.
Executive priority
Treat as a moderate confidentiality risk. It does not indicate broad compromise, but it can delay access revocation for sensitive file shares, which matters during offboarding, role changes, and incident containment.
Technical view
The smbd daemon fails to refresh group membership when re-authenticating an expired SMB session. CVSS is 4.9, network reachable, low complexity, high privileges required, and confidentiality impact is high. Red Hat lists RHEL 9 and RHEL 10 samba as affected.
Likely exposure
Likely exposure is internal Samba file-sharing environments using group membership to control share access, especially on Red Hat Enterprise Linux 9 or 10. Risk increases when access revocation must take effect immediately for sensitive shares.
Exploitation context
No active exploitation is supported by the provided sources, and the CVE is not in KEV. Abuse appears to require an already privileged or previously authorized SMB user whose group access was changed while a session persisted.
Researcher notes
The key behavior is stale group membership during expired-session re-authentication in smbd. Sources do not provide exploit details, confirmed patches, or broad product coverage beyond the listed Samba and Red Hat entries, so validation should stay inventory- and process-focused.
Mitigation direction
Check Samba and Red Hat advisories for confirmed updates or workarounds.
Force affected clients to disconnect and reconnect after group membership removals.
Prioritize sensitive shares where group revocation must take immediate effect.
Review operational procedures for urgent access removal from Samba shares.
Validation and detection
Inventory Samba deployments, prioritizing RHEL 9 and RHEL 10 systems.
Identify shares where access relies on Unix or directory group membership.
Review recent access removals for users with still-active SMB sessions.
Confirm affected users fully reconnect before relying on changed group access.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-552: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-552 · source CWE mapping
Files or Directories Accessible to External Parties
Files or Directories Accessible to External Parties represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.