Full Report
Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw. "Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to
Analysis Summary
# Vulnerability: Path Traversal in Samsung MagicINFO 9 Server Leading to Arbitrary File Write (Mirai Deployment)
## CVE Details
- CVE ID: CVE-2025-4632
- CVSS Score: 9.8 (Critical)
- CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
## Affected Systems
- Products: Samsung MagicINFO 9 Server
- Versions: Versions prior to 21.1052.0 (Specifically noted that versions v8 through v9 21.1050.0 are affected)
- Configurations: N/A
## Vulnerability Description
CVE-2025-4632 is a critical path traversal vulnerability in Samsung MagicINFO 9 Server. This flaw is caused by the improper limitation of a pathname to a restricted directory, allowing remote attackers to write arbitrary files with **system authority** on the underlying server. Notably, this vulnerability is considered a patch bypass for the previously disclosed CVE-2024-7399.
## Exploitation
- Status: Exploited in the wild (Used to deploy the Mirai botnet)
- Complexity: Low (A PoC was publicly released)
- Attack Vector: Network
## Impact
- Confidentiality: Likely High (Arbitrary file write at system authority level suggests capability for complete system compromise)
- Integrity: High (Arbitrary file write at system authority level suggests capability for complete system compromise)
- Availability: High (Can lead to system compromise and deployment of malware like Mirai)
## Remediation
### Patches
- **Samsung MagicINFO 9 Server version 21.1052.0 or later** mitigates the issue.
### Workarounds
- **For users upgrading from v8 or v9 21.1050.0:** An intermediate step is required. Users must first upgrade to version **21.1050.0** before applying the final patch in version 21.1052.0 (or higher) to ensure the vulnerability is fully mitigated.
## Detection
- **Indicators of Compromise (IoCs):** Evidence of attackers running commands to download and execute payloads such as `"srvany.exe"` and `"services.exe"`.
- **Detection Methods and Tools:** Monitoring file system activity for suspicious writes in core server directories, especially by the system account, and network traffic associated with payload downloads on MagicINFO server instances.
## References
- Vendor advisory: security.samsungtv.com/securityUpdates#SVP-MAY-2025
- CVE Record: cve.org/CVERecord?id=CVE-2025-4632
- PoC Disclosure: ssd-lab.com/disclosure/samsung/ssd-advisory-samsung-magicinfo-9-server.html (Defanged: ssd-lab.com/disclosure/samsung/ssd-advisory-samsung-magicinfo-9-server.html)
- Huntress Report: huntress.com/blog/post-exploitation-activities-observed-from-samsung-magicinfo-9-server-flaw (Defanged: huntress.com/blog/post-exploitation-activities-observed-from-samsung-magicinfo-9-server-flaw)
- Patch Install Link (Example): eu.community.samsung.com/t5/samsung-solutions/update-magicinfo-server-v9-21-1052-0-setup-file/ta-p/11374265 (Defanged: eu.community.samsung.com/t5/samsung-solutions/update-magicinfo-server-v9-21-1052-0-setup-file/ta-p/11374265)