Due to a significant vulnerability in Samba Active Directory (AD) implementations, attackers may be able to escalate privileges and even take control of entire domains. The vulnerability results from a flaw in Samba's handling of access controls for recently generated objects in Active Directory. In particular, even after an object has been created, a delegated administrator with the ability to create objects can write to all its attributes, including those critical to security.