Samsung has released a software update to address critical security flaws in the wildly active MagicInfo 9 servers.
The vulnerability tracked as CVE-2025-4632 (CVSS score: 9.8) is described as a cross-path defect.
“Inappropriate restriction of pathnames for a restricted directory vulnerability in Samsung Magicinfo 9 server versions prior to 21.1052 allows an attacker to describe any file as system privileges,” according to the flawed advisory.
Note that CVE-2025-4632 is a patch bypass for CVE-2024-7399, another past traversal defect of the same product, patched by Samsung in August 2024.
CVE-2025-4632 was exploited in the wild shortly after the release of the SSD disclosure proof of concept (POC) for the deployment of Mirai Botnet on April 30, 2025.
Although initially assumed that the attack was targeting CVE-2024-7399, cybersecurity company Huntress first revealed the existence of less than the vulnerability last week after finding signs of exploitation even on Magicinfo 9 server instances running the latest version (21.1050).
In a follow-up report published on May 9, Huntress revealed three separate incidents, including the exploitation of CVE-2025-4632, with the unidentified actor downloading additional payloads such as “srvany.exe” and “services.exe” to the two hosts, and running the same command to run the reconnaissance command third.
Samsung Magicinfo 9 server users are advised to apply the latest fixes as soon as possible to prevent potential threats.
“We have confirmed that MagicInfo 9 21.1052.0 is mitigating the original issue raised on CVE-2025-4632,” Jamie Levy, director of enemy tactics for the Hanless, told Hacker News.
“We also discovered that machines with version v8 -v9 21.1050.0 are affected by this vulnerability. We also discovered that upgrading from MagicInfo V8 to V9 21.1052.0 is not easy as they must first upgrade to 21.1050.0 before applying the final patch.”
Source link
