Vulnerability in Samsung’s MagicINFO Server 9(CVE-2025-4632) Exploited by Threat Actors

Threat actors are actively exploiting a high-severity zero-day vulnerability in Samsung’s MagicINFO Server 9, a digital signage management platform widely used for content creation and display control.

The flaw, tracked as CVE-2025-4632, poses a serious security risk, allowing unauthenticated attackers to achieve remote code execution by uploading malicious files to vulnerable servers.

CVE-2025-4632

On April 30, 2025, a proof-of-concept (PoC) exploit for CVE-2025-4632 was publicly released. This PoC bypasses protections previously implemented for CVE-2024-7399, an earlier restricted directory vulnerability patched last year in versions up to 21.1050.

The newly disclosed flaw reintroduces a similar attack surface, permitting unauthenticated file uploads outside intended directory boundaries.

Samsung addressed CVE-2025-4632 on May 13, 2025, releasing a hotfix in version 21.1052 of MagicINFO Server 9. The vulnerability, which was first reported to Samsung on January 12 by SSD Secure Disclosure, was published after a standard 90-day disclosure period with additional grace time.

According to SSD’s advisory, the vulnerability arises from improper validation of file paths, enabling attackers to write arbitrary files to the server with system-level privileges. If specially crafted JavaServer Pages (JSP) files are uploaded, this can lead directly to full system compromise.

Threat Activity

• Cybersecurity firms Arctic Wolf and Huntress observed suspicious activity shortly after the PoC for CVE-2025-4632 was released.
• While exact attribution is unconfirmed, the timing strongly suggests active in-the-wild exploitation.
• Huntress issued a warning about ongoing live exploitation attempts.
• Huntress noted that many customers had firewalls or other protections that may have blocked the attack vectors.

In an analysis posted on May 9, Huntress researchers described how attackers used a “spray and pray” strategy, randomly targeting servers with exploit payloads.

One attacker struggled to get their malicious service to run on a compromised host, retrying the exploit multiple times before partially succeeding on another system. Endpoint detection and response (EDR) logs later confirmed binary execution and service installation on the second host.

Mitigation

Samsung released a hotfix (21.1052) to address the vulnerability(CVE-2025-4632), though users must first install version 21.1050, as the hotfix is not a standalone installer. Notably, older vulnerable versions remain the default download on Samsung’s website.

Jai Minton, threat hunting manager at Huntress, highlighted this installation quirk on X (formerly Twitter), urging administrators to upgrade immediately and ensure that affected systems are not accessible from the internet.

Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news