[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2025-4632: Samsung MagicINFO 9 Server Path Traversal Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Thu May 22 14:50:37 PDT 2025 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2025-4632: Samsung MagicINFO 9 Server Path Traversal Vulnerability. Due to its high visibility, we are providing this in-depth information:

History: On April 30,2025, it was publicly disclosed that a server path traversal vulnerability was found in MagicINFO9 software, a content management system used for digital signage displays. This vulnerability was assigned a CVE on May 13, 2025 and subsequently assigned a CVSSv3 score of 9.8 (Critical) by Samsung TV and Appliance. NIST has yet to provide a CVSSv3 score as of May 13, 2025.

Affected products, version:

  *   Samsung MagicINFO 9 Server version before 21.1052
Updated version:

  *   Samsung MagicINFO 9 Server version 21.1052

For more information directly from Samsung please see the link here: https://security.samsungtv.com/securityUpdates#SVP-MAY-2025

Additional write-up can be found below:

  *   https://www.huntress.com/blog/post-exploitation-activities-observed-from-samsung-magicinfo-9-server-flaw
  *   https://arcticwolf.com/resources/blog/follow-up-samsung-patches-zero-day-vulnerability-magicinfo-9-server-cve-2025-4632/
  *   https://ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/
  *   https://cybersrcc.com/2025/05/16/samsung-patches-cve-2025-4632-used-to-deploy-mirai-botnet-via-magicinfo-9-exploit/



Intelligence As of May 22, 2025, CISA has confirmed the vulnerability as being exploited in the wild and has added the vulnerability to the Known Exploited Vulnerabilities Catalog. It's worth noting that CVE-2025-4632 is a patch bypass for CVE-2024-7399, another path traversal flaw in the same product that was remediated by Samsung in August 2024. CVE-2025-4632 has since been exploited in the wild shortly after the release of a proof-of-concept (PoC) and reported on by SSD Disclosure on April 30, 2025. Exploitation of CVE-2025-4632 has been linked to the deployment of the Mirai botnet, a notorious malware used for distributed denial-of-service (DDoS) attacks.

Workarounds: There are no workarounds at this time.

How it works: A server path traversal vulnerability in the MagicINFO9 software stems from the application's allowance of crafting specially designed HTTP requests, attackers can write files like JSP scripts, which the server executes with system-level privileges, enabling RCE.

Post-Exploit: Upon successful exploitation of the vulnerability, Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server allows attackers to write arbitrary file as system authority.

IOC: Below are Indicators of Compromise

http://185.225.226[.]53/php_cli.exe
2025-05-04
URL of executable used by attacker
http://185.225.226[.]53/srvany.exe
2025-05-04
URL of executable used by attacker
C:\MagicInfo Premium\tomcat\bin\php-cli.exe

c9c464c872b539eee7481e15331b7a6c75f4ba1f24b64d9f36a70b87a164d122
2025-05-04
srvany.exe<https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/create-user-defined-service> (A utility to launch any executable as a service)
C:\MagicInfo Premium\tomcat\bin\php-fpm.exe

abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1
2025-05-04
services.exe<https://winbindex.m417z.com/?file=services.exe> (a core Microsoft Windows process, part of the Service Control Manager (SCM))
Malicious Files

srvany.exe (renamed to php-cli.exe)
php_cli.exe (renamed to php-fpm.exe)
Unauthorized Services

Service name: PHP5.3.8
Parameters: -device-name=magicw, attacker-controlled email addresses
Suspicious Commands

Reconnaissance: whoami, arp -a
Payload execution: Commands to download and execute malicious binaries
System Event Logs

Event ID 7045: Indicates service creation (e.g., PHP5.3.8)
Event ID 7000: Indicates service start failure
Network Traffic

Connections to suspicious IPs or domains associated with Mirai C2 servers
Increased outbound traffic indicative of DDoS activity

As of May 22, 2025, Tenable has not released any plugins for the vulnerability and has no plugins in the pipeline.

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DBCB24.5DBE37D0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that equitably serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20250522/de50d8d5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20250522/de50d8d5/attachment-0001.png>

More information about the CDP-development mailing list