CVE-2025-4632
published 2025-05-13CVE-2025-4632: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-06-12
Exploited in the wild
EPSS
23.95%
97.6th percentile
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| samsung | magicinfo_9_server | < 21.1052.0 | 21.1052.0 |
| samsung_electronics | magicinfo_9_server | < 21.1052 | 21.1052 |
Detection & IOCsextracted from sources · hover to see the quote
url/MagicInfo/servlet/SWUpdateFileUploader?fileName=./../../../../../../server/{{filename}}.html&deviceType={{deviceType}}&deviceModelName={{deviceModelName}}&swVer={{swVer}}
path/MagicInfo/servlet/SWUpdateFileUploader
otherServer: magicinfo premium server
otherMagicInfo Premium Server
- →Detect path traversal exploitation attempts targeting the SWUpdateFileUploader endpoint. Look for HTTP POST requests to /MagicInfo/servlet/SWUpdateFileUploader with a fileName parameter containing directory traversal sequences (e.g., ./../../).
- →Exploitation is unauthenticated — no session or authentication token is required. Any POST to the SWUpdateFileUploader endpoint with traversal sequences in fileName from an unauthenticated source should be treated as a high-confidence attack indicator.
- →Confirm exploitation by checking whether a file written via the traversal path is subsequently accessible via a GET request to /MagicInfo/<filename>.html — a successful two-stage probe (upload then retrieve) indicates full RCE capability.
- →Use the Shodan query 'Server: magicinfo premium server' to identify exposed Samsung MagicINFO 9 Server instances on the internet for asset discovery and attack surface reduction.
- →CVE-2025-4632 is listed in CISA KEV with a remediation due date of 2025-06-12, indicating active exploitation in the wild. Prioritize detection and patching accordingly. ↗
- ·The vulnerability affects Samsung MagicINFO 9 Server versions before 21.1052 only. Instances running 21.1052 or later are patched and should not be flagged. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmww-723f-496g: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21
ghsa_unreviewed·2025-05-13
CVE-2025-4632 [CRITICAL] CWE-22 GHSA-cmww-723f-496g: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.
VulnCheck
Samsung MagicINFO 9 Server Path Traversal Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-4632 [CRITICAL] CWE-22 Samsung MagicINFO 9 Server Path Traversal Vulnerability
Samsung MagicINFO 9 Server Path Traversal Vulnerability
Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.
Affected: Samsung MagicINFO 9 Server
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet; https://www.huntress.com/blog/post-exploitation-activities-observed-from-samsung-magicinfo-9-server-flaw; https://arcticwolf.com/resources/blog-uk/follow-up-samsung-patches-zero-day-vulnerability-in-magicinfo-9-server-cve-2025-4632/; https://thehackernews.
CISA
Samsung MagicINFO 9 Server Path Traversal Vulnerability
cisa·2025-05-22·CVSS 9.8
CVE-2025-4632 [CRITICAL] CWE-22 Samsung MagicINFO 9 Server Path Traversal Vulnerability
Vulnerability: Samsung MagicINFO 9 Server Path Traversal Vulnerability
Affected: Samsung MagicINFO 9 Server
Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://security.samsungtv.com/securityUpdates#SVP-MAY-2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-4632
Remediation Due Date: 2025-06-12
No detection rules found.
Nuclei
Samsung MagicINFO 9 Server - File Upload & Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-4632 [CRITICAL] Samsung MagicINFO 9 Server - File Upload & Remote Code Execution
Samsung MagicINFO 9 Server - File Upload & Remote Code Execution
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.
Template:
id: CVE-2025-4632
info:
name: Samsung MagicINFO 9 Server - File Upload & Remote Code Execution
author: s4e-io
severity: critical
description: |
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.
impact: |
Unauthenticated attackers can write arbitrary files with system authority through path traversal in the file upload endpoint, achieving remote code execution.
remediation: |
Upgrade Samsung
No writeups or analysis indexed.
2025-05-13
Published
2025-05-22
Added to CISA KEV
Exploited in the wild