Samsung Electronics has patched a critical vulnerability in its MagicINFO 9 Server, identified as CVE-2025-4632, which has been actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to write arbitrary files as system authority due to improper limitation of a pathname to a restricted directory. The vulnerability, which affects versions prior to 21.1052, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on May 22, 2025, just nine days after its disclosure.
The exploitation of this vulnerability has been linked to the deployment of the Mirai botnet, a notorious malware strain known for hijacking IoT devices to launch distributed denial-of-service (DDoS) attacks. The availability of a proof-of-concept (PoC) exploit has likely accelerated the exploitation of this flaw, which was reportedly leveraged within 8.8 days of its disclosure.
The vulnerability, categorized under CWE-22, involves a directory traversal issue that permits unauthorized file manipulation. This can lead to severe consequences, including the execution of malicious code with elevated privileges. The exploitation of this flaw highlights the critical need for organizations using Samsung MagicINFO 9 Server to apply the latest patches immediately to mitigate potential risks.
Samsung has responded by releasing a security update to address this vulnerability. Organizations are urged to upgrade to version 21.1052 or later to protect against potential exploitation. Given the critical nature of this vulnerability and its active exploitation, security teams should prioritize patching and review their systems for any signs of compromise.
The inclusion of CVE-2025-4632 in the KEV catalog underscores the urgency of addressing this security gap. With an Exploit Prediction Scoring System (EPSS) score of 0.492, the likelihood of exploitation remains significant, necessitating immediate action from affected entities. Security professionals should also monitor for any unusual network activity that could indicate botnet deployment or other malicious actions.
In summary, the swift exploitation of CVE-2025-4632 serves as a stark reminder of the importance of timely patch management and the need for robust security measures to defend against emerging threats. Organizations using Samsung MagicINFO 9 Server should act swiftly to secure their systems and prevent potential exploitation by threat actors.
CSURFACE