Article Details

Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit. Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw. "Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary files as system authority," according to an advisory for the flaw. It's worth noting that CVE-2025-4632 is a patch bypass for CVE-2024-7399, another path traversal flaw in the same product that was patched by Samsung in August 2024. CVE-2025-4632 has since been exploited in the wild shortly after the release of a proof-of-concept (PoC) by SSD Disclosure on April 30, 2025, in some instances to even deploy the Mirai botnet. While it was initially assumed that the attacks were targeting CVE-2024-7399, cybersecurity company Huntress first revealed the existence of an unpatched vulnerability last week after finding signs of exploitation even on MagicINFO 9 Server instances running the latest version (21.1050). In a follow-up report published on May 9, Huntress revealed that three separate incidents that involved the exploitation of CVE-2025-4632, with unidentified actors running an identical set of commands to download additional payloads like "srvany.exe" and "services.exe" on two hosts and executing reconnaissance commands on the third. Users of the Samsung MagicINFO 9 Server are recommended to apply the latest fixes as soon as possible to safeguard against potential threats. "We have verified that MagicINFO 9 21.1052.0 does mitigate the original issue raised in CVE-2025-4632," Jamie Levy, director of adversary tactics at Huntress, told The Hacker News. "Any machine that has versions v8 - v9 21.1050.0 will still be affected by this vulnerability. We've also discovered that upgrading from MagicINFO v8 to v9 21.1052.0 is not as straightforward since you have to first upgrade to 21.1050.0 before applying the final patch."