MagicINFO 9 Server - Path Traversal (CVE-2025-4632)

CVE-2025-4632 is a critical vulnerability in Samsung MagicINFO 9 Server prior to version 21.1052 that allows attackers to write arbitrary files as system authority due to improper restriction of pathnames. This flaw could be exploited remotely to gain full control over the server, potentially leading to data breaches, system compromise, or the deployment of malicious code.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2025-4632 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2025-4632. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit the /MagicInfo/servlet/SWUpdateFileUploader endpoint to upload files outside the intended directory by abusing the fileName parameter with path traversal sequences, enabling remote code execution on Samsung MagicINFO 9 Server systems. Subsequent requests to /MagicInfo/<filename>.html are used to access the uploaded malicious files.