Samsung has issued an urgent software update for its MagicINFO 9 Server platform, patching a critical path traversal vulnerability—CVE-2025-4632—that has been exploited in real-world attacks. With a CVSS score of 9.8, this flaw allows threat actors to write arbitrary files with system-level permissions, making it one of the most severe issues seen in the product to date.
According to Samsung’s advisory, the bug impacts versions of MagicINFO 9 Server before 21.1052. The vulnerability stems from improper path restrictions that let attackers escape the intended directory structure. It’s also been confirmed that CVE-2025-4632 is a patch bypass for CVE-2024-7399, another path traversal flaw patched in August 2024.
The flaw gained traction after SSD Disclosure publicly released a proof-of-concept (PoC) exploit on April 30, 2025. Within days, attackers began abusing it, including in campaigns linked to Mirai botnet deployments. Security firm Huntress discovered that even servers running MagicINFO version 21.1050 were compromised—indicating a new, unpatched vulnerability was at play.
Exploitation in the Wild and PoC Triggered Attacks
Huntress’s deeper investigation uncovered three incidents where attackers exploited CVE-2025-4632. In two cases, they dropped payloads such as srvany.exe and services.exe, suggesting post-exploitation persistence. On the third host, reconnaissance commands were used, indicating that attackers were mapping the environment for further exploitation.
This discovery was especially alarming because the affected systems were thought to be up-to-date. However, Huntress found that even the latest version (21.1050) was vulnerable, and a fix wasn’t available until Samsung released version 21.1052.
Jamie Levy, director of adversary tactics at Huntress, confirmed that the patch does mitigate CVE-2025-4632. However, upgrading is not seamless—users running MagicINFO v8 must first update to 21.1050 before applying the final patch. This added complexity may leave some systems exposed for longer than necessary.
Patch Now to Protect Against Mirai and Other Threats
The timeline of attacks following the public PoC highlights just how quickly vulnerabilities like this are weaponized. Samsung strongly urges all users of MagicINFO 9 Server to update immediately to version 21.1052. Machines still running any version from v8 through 21.1050 remain vulnerable and could be actively targeted by malware operators.
Security teams managing Samsung’s digital signage systems should review their environments, verify patch levels, and check for indicators of compromise—especially any signs of abnormal executable downloads or suspicious command-line activity.
With botnets like Mirai continuing to evolve and exploit known flaws, staying on top of critical updates like this one is essential for defending enterprise infrastructure.
