CVE-2025-4632

What is Samsung MagicINFO 9 Server?

Samsung MagicINFO 9 Server is the central management platform for Samsung's commercial digital signage ecosystem. Organizations use it to remotely manage and push content to Samsung commercial displays deployed in retail stores, airports, hospitals, corporate lobbies, restaurants, and public venues. The MagicINFO Server provides a web-based content management system that controls what thousands of screens display across distributed locations.

While digital signage management may seem low-stakes, MagicINFO Server deployments are often internet-accessible for remote management — and the server runs with SYSTEM-level privileges on Windows to control local hardware interfaces. An arbitrary file write as SYSTEM translates directly to full operating system compromise.

Overview

CVE-2025-4632 is a path traversal vulnerability (CWE-22) in Samsung MagicINFO 9 Server that allows an unauthenticated attacker to write arbitrary files to any location on the filesystem with SYSTEM-level privileges. Exploitation in the wild began within days of a public proof-of-concept release on April 30, 2025. Samsung released a patch on May 14, 2025; CISA added the vulnerability to the KEV catalog on May 22, 2025 with confirmed Mirai botnet recruitment activity. This vulnerability is also a patch bypass for CVE-2024-7399, an earlier path traversal in the same product class that Samsung fixed in August 2024.

Affected Versions

Known vulnerable build numbers include: 21.1050.0, 21.1051.0, 21.1040.x, 21.1020.0, 21.1010.x. Huntress confirmed exploitation against fully patched 21.1050 instances — making this vulnerability a bypass of the prior CVE-2024-7399 patch.

Technical Details

The vulnerable endpoint is /MagicInfo/servlet/SWUpdateFileUploader, a servlet that handles content file uploads from management clients. The server uses a user-controlled path parameter to determine where uploaded content is saved. The path parameter is not validated against a safe base directory — an attacker can supply a path traversal sequence (e.g., ../../../../Windows/System32/...) to write any file to any location on the filesystem.

Because the MagicINFO Server service runs as SYSTEM on Windows, the uploaded file is written with SYSTEM privileges. An attacker drops a JSP webshell or an executable to a startup location, achieving persistent code execution.

Relationship to CVE-2024-7399: Samsung patched a similar path traversal (CVE-2024-7399) in August 2024. CVE-2025-4632 is a bypass of that fix — the original patch did not fully restrict path traversal in all request formats, leaving a second traversal vector that attackers independently discovered and exploited before Samsung identified it.

Key characteristics:

• Fully unauthenticated — no credentials or session required
• Writes files as SYSTEM — maximum privilege level on Windows
• Exploitable against any internet-accessible MagicINFO 9 Server
• PoC publicly available since April 30, 2025 (SSD Disclosure)

Discovery

SSD Disclosure published a proof-of-concept exploit on April 30, 2025. Huntress identified active exploitation in three customer incident investigations and published a report on May 9, 2025, before Samsung had released a patch. Censys identified approximately 1,101 internet-exposed MagicINFO 9 Server instances at the time of disclosure.

Exploitation Context

Active exploitation was rapid and multi-vector:

• Huntress (May 9, 2025): Three separate customer incident investigations confirmed post-exploitation webshell drops and follow-on activity
• Mirai botnet: Threat actors exploited CVE-2025-4632 to deploy Mirai botnet binaries on compromised MagicINFO servers, recruiting them as DDoS amplification nodes
• Timeline: Exploitation began days after the April 30 PoC release, nearly two weeks before Samsung shipped the patch on May 14

The 1,101 exposed instances identified by Censys represent a relatively small but concentrated attack surface — each server controls potentially thousands of display endpoints, making compromise of a single server high-impact for the deploying organization.

Remediation

1. Upgrade to MagicINFO 9 Server version 21.1052.0 immediately — the patch was released May 14, 2025, and the CISA deadline was June 12, 2025. Any unpatched instance is overdue.
2. Do not assume 21.1050 or 21.1051 are safe — Huntress confirmed exploitation against 21.1050; apply 21.1052.0 specifically.
3. Restrict internet access to the MagicINFO server — place it behind a firewall or VPN; the /MagicInfo/servlet/SWUpdateFileUploader endpoint should not be publicly reachable.
4. Hunt for webshells and Mirai binaries — check the MagicINFO web application directories and Windows TEMP folders for unexpected .jsp files or ELF/PE executables that don't belong.
5. Review Windows Event Logs — look for new service installations, scheduled tasks, or processes spawned from the MagicINFO service account since April 30, 2025.
6. Rotate all credentials stored on or accessible from the MagicINFO server — the server may store API keys and credentials for connected display infrastructure and content delivery systems.
7. Apply CVE-2024-7399 as a precedent lesson — if you patched the earlier flaw and believed yourself protected, reassess your MagicINFO update cadence; Samsung has had multiple path traversal issues in this product.