🔴 CVE-2025-4632

Critical path traversal vulnerability in Samsung MagicINFO 9 Server allows unauthenticated remote attackers to write arbitrary files with system authority. The vulnerability is actively exploited in the wild and listed in CISA KEV, with CAPEC-650 indicating web shell upload capability.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-13

Added to CISA KEV: 2025-05-22 9 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-4632 is a critical-severity path traversal vulnerability affecting Samsung MagicINFO 9 Server, a digital signage management solution [3] [6].

Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability was actively exploited in the wild as a zero-day [2] [7].
  • Threat Actors: Reports indicate the vulnerability has been used by threat actors to deploy the Mirai botnet [5].
  • Proof-of-Concept (PoC): A PoC exploit was published by SSD Disclosure on April 30, 2025, which preceded the release of the official patch and contributed to the subsequent surge in exploitation activity [2] [7].
Attack Method and Requirements
  • Method: The flaw is a path traversal vulnerability resulting from improper limitation of pathnames to a restricted directory [1].
  • Requirements: Exploitation can be performed remotely over the network without the need for authentication [4]. No user interaction is required [4].
Impact
  • Access Level: Successful exploitation allows an attacker to write arbitrary files to the server with system-level authority (specifically under the Apache Tomcat process) [1] [7].
  • Consequences: This capability allows attackers to upload web shells, leading to full remote code execution (RCE), data breaches, and complete system compromise [3] [4].
Affected Versions and Mitigation
  • Affected Versions: Samsung MagicINFO 9 Server versions prior to 21.1052 are vulnerable [1] [6].
  • Status: Samsung released a patch on May 13, 2025, to address the vulnerability [2]. Organizations are advised to ensure their software is updated to version 21.1052 or later [4].

Sources

  1. CVE-2025-4632 Detail - NVD

    Description. Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to ... CVE-2025-4632 Detail. Description. Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Serv…

  2. Samsung Patches Zero-Day Vulnerability in MagicINFO 9 Server ...

    On May 13, 2025, Samsung released fixes for CVE-2025-4632, a high-severity path traversal zero-day vulnerability in MagicINFO 9 Server. ... On May 13, 2025, Samsung released fixes for CVE-2025-4632, a high-severity path traversal zero-day vulnerability in MagicINFO 9 Server. Arctic Wolf had previous…

  3. MagicINFO 9 Server - Path Traversal (CVE-2025-4632)

    CVE-2025-4632 is a critical vulnerability in Samsung MagicINFO 9 Server prior to version 21.1052 that allows attackers to write arbitrary files as system authority due to improper restriction of pathnames. This flaw could be exploited remotely to gain full control over the server, potentially leadin…

  4. CVE-2025-4632 - Exploits & Severity - Feedly

    Threat Intelligence Report CVE-2025-4632 is a high-severity path traversal zero-day vulnerability in Samsung MagicINFO 9 Server that allows unauthenticated threat actors to write arbitrary files to the server, potentially leading to remote code execution through specially crafted JavaServer Pages (J…

  5. JUNE 2025 Cybersecurity Newsletter - IWEBBS

    Samsung has issued urgent updates to fix CVE-2025-4632, a critical path traversal vulnerability in MagicINFO 9 Server actively exploited in the wild to deploy the Mirai botnet. ... At least 581 critical systems worldwide were compromised by China-linked threat groups exploiting a zero-day vulnerabil…

  6. Samsung MagicInfo9 Path Traversal Vulnerability Added to CISA ...

    CVE-2025-4632 is a critical vulnerability in Samsung MagicInfo 9 Server (a digital signage software solution) affecting versions prior to 21.1052 with a ... Vulnerability Description CVE-2025-4632 is a critical vulnerability in Samsung MagicInfo 9 Server (a digital signage software solution) affecti…

  7. Attackers Target Samsung MagicINFO Server Bug,

    CVE-2025-4632, a patch bypass for a Samsung MagicInfo 9 Server vulnerability disclosed last year, has been exploited by threat actors in the wild. ... On April 30, a proof-of-concept (POC) exploit was published for CVE-2025-4632 , a vulnerability impacting current versions of Samsung MagicINFO 9 Ser…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed