Samsung Patches Critical MagicINFO 9 Flaw (CVE-2025-4632) Exploited by Mirai Botnet

15.05.2025

Samsung has issued a security update to fix a critical vulnerability in its MagicINFO 9 Server software, which has been actively exploited in real-world attacks. The flaw, tracked as CVE-2025-4632 with a CVSS score of 9.8, is a path traversal vulnerability that allows attackers to write arbitrary files with system-level privileges.

According to Samsung’s advisory, the issue stems from improper restriction of pathnames in MagicINFO 9 Server versions prior to 21.1052. The flaw is a bypass of an earlier vulnerability (CVE-2024-7399), which was patched in August 2024. Exploitation of the new flaw surged shortly after a proof-of-concept was published by SSD Disclosure on April 30, 2025.

Cybersecurity firm Huntress discovered ongoing exploitation of the flaw, even in systems running the then-latest version (21.1050), prompting further investigation. Their research confirmed that CVE-2025-4632 was being used in at least three separate incidents to deploy payloads and execute reconnaissance commands, with some attacks linked to the Mirai botnet.

Huntress noted that the vulnerability is only mitigated in MagicINFO version 21.1052. Systems running versions from v8 up to v9 21.1050 remain vulnerable. Furthermore, upgrading from version 8 requires an intermediate update to 21.1050 before applying the final patch.

Users of Samsung MagicINFO 9 are strongly urged to update to version 21.1052 as soon as possible to defend against ongoing exploitation attempts.