cbcvebase.
CVE-2025-4632
published 2025-05-13

CVE-2025-4632: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-06-12
Exploited in the wild
EPSS
23.95%
97.6th percentile
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.

Affected

2 ranges
VendorProductVersion rangeFixed in
samsungmagicinfo_9_server< 21.1052.021.1052.0
samsung_electronicsmagicinfo_9_server< 21.105221.1052

Detection & IOCsextracted from sources · hover to see the quote

url/MagicInfo/servlet/SWUpdateFileUploader?fileName=./../../../../../../server/{{filename}}.html&deviceType={{deviceType}}&deviceModelName={{deviceModelName}}&swVer={{swVer}}
path/MagicInfo/servlet/SWUpdateFileUploader
otherServer: magicinfo premium server
otherMagicInfo Premium Server
  • Detect path traversal exploitation attempts targeting the SWUpdateFileUploader endpoint. Look for HTTP POST requests to /MagicInfo/servlet/SWUpdateFileUploader with a fileName parameter containing directory traversal sequences (e.g., ./../../).
  • Exploitation is unauthenticated — no session or authentication token is required. Any POST to the SWUpdateFileUploader endpoint with traversal sequences in fileName from an unauthenticated source should be treated as a high-confidence attack indicator.
  • Confirm exploitation by checking whether a file written via the traversal path is subsequently accessible via a GET request to /MagicInfo/<filename>.html — a successful two-stage probe (upload then retrieve) indicates full RCE capability.
  • Use the Shodan query 'Server: magicinfo premium server' to identify exposed Samsung MagicINFO 9 Server instances on the internet for asset discovery and attack surface reduction.
  • CVE-2025-4632 is listed in CISA KEV with a remediation due date of 2025-06-12, indicating active exploitation in the wild. Prioritize detection and patching accordingly.
  • ·The vulnerability affects Samsung MagicINFO 9 Server versions before 21.1052 only. Instances running 21.1052 or later are patched and should not be flagged.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.