MagicINFO 9 Server - Path Traversal (CVE-2025-4632)

CVE-2025-4632 is a critical vulnerability in Samsung MagicINFO 9 Server prior to version 21.1052 that allows attackers to write arbitrary files as system authority due to improper restriction of pathnames. This flaw could be exploited remotely to gain full control over the server, potentially leading to data breaches, system compromise, or the deployment of malicious code.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2025-4632 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-4632 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-4632 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit the /MagicInfo/servlet/SWUpdateFileUploader endpoint to upload files outside the intended directory by abusing the fileName parameter with path traversal sequences, enabling remote code execution on Samsung MagicINFO 9 Server systems. Subsequent requests to /MagicInfo/<filename>.html are used to access the uploaded malicious files.