Samsung has released a critical security update to patch CVE-2025-4632, a high-severity vulnerability in its MagicINFO 9 Server platform actively exploited by attackers to deploy the Mirai botnet.
CVE-2025-4632: What You Need to Know
- Vulnerability ID: CVE-2025-4632
- CVSS Score: 9.8 (Critical)
- Affected Product: Samsung MagicINFO 9 Server (versions before 21.1052.0)
- Exploitation Type: Unauthenticated remote arbitrary file write
- Patch Bypass Of: CVE-2024-7399
This vulnerability stems from improper validation of file paths, which allows attackers to carry out path traversal attacks. By crafting malicious file paths, threat actors can write arbitrary files to the server with system-level privileges, paving the way for full server compromise.
Active Exploitation in the Wild
The flaw was actively exploited in the wild, as per cybersecurity firm Huntress, who observed attackers using it to:
- Drop malicious files like
srvany.exeandservices.exe - Run reconnaissance commands such as
whoamiandquery user - Deploy the Mirai botnet, a notorious malware used for large-scale DDoS attacks
The exploit chain was triggered after a proof-of-concept (PoC) was publicly released by SSD Disclosure on April 30, 2025.
A Patch Bypass Resurfaces
CVE-2025-4632 is particularly dangerous because it acts as a patch bypass for CVE-2024-7399, previously believed to be mitigated. This allowed attackers to once again target vulnerable MagicINFO servers, emphasizing the importance of defense-in-depth and continuous patch validation.
Mitigation and Patch Guidance
Samsung has addressed the vulnerability in MagicINFO 9 Server version 21.1052.0. Users on older versions should follow this two-step upgrade path:
- Upgrade to version 21.1050.0
- Then proceed to 21.1052.0
Jamie Levy, Director of Adversary Tactics at Huntress, confirmed:
“We have verified that MagicINFO 9 21.1052.0 does mitigate the original issue raised in CVE-2025-4632.”
Recommendations
Organizations using MagicINFO should:
- Immediately apply the latest patch
- Audit systems for unauthorized changes or signs of compromise
- Implement WAF, EDR, and network segmentation to mitigate future exposure
Final Thoughts
With the rapid release of PoC code and proven active exploitation, CVE-2025-4632 serves as a stark reminder of how quickly attackers can capitalize on software flaws. Samsung MagicINFO users must act now to secure their systems against future compromise and botnet recruitment.