Samsung makes a second patch for actively exploited flaw in MagicINFO 9 Server
Take action: If you are running Samsung MagicINFO 8 or 9 Server, first make sure it's isolated from the internet and accessible only from trusted networks. Then plan a quick patch even if it was patched again. Your MagicINFO server is being hacked, or can be used to hack your entire network.
Learn More
Samsung has released security updates to address an actively exploited vulnerability in its MagicINFO 9 Server product that has been actively exploited in the wild. This security flaw was discovered after cybersecurity researchers observed attacks targeting MagicINFO 9, including attempts to deploy the notorious Mirai botnet malware on compromised systems.
The flaw is tracked as CVE-2025-4632 (CVSS score: 9.8): An "improper limitation of a pathname to a restricted directory" vulnerability that allows attackers to write arbitrary files with system authority privileges. It represents a patch bypass for a previously identified and fixed issue (CVE-2024-7399), another path traversal flaw in the same product that Samsung had patched in August 2024. This indicates that the original remediation was insufficient, allowing attackers to continue exploiting a similar weakness.
The exploitation of CVE-2025-4632 began shortly after security research firm SSD Disclosure published a proof-of-concept (PoC) on April 30, 2025. Cybersecurity company Huntress first identified the existence of this unpatched vulnerability last week after discovering signs of exploitation even on MagicINFO 9 Server instances running what was then the latest version (21.1050).
Huntress has documented three separate incidents involving the exploitation of this vulnerability. In two of these cases, the threat actors executed identical commands to download malicious payloads identified as "srvany.exe" and "services.exe." On the third compromised host, the attackers performed reconnaissance commands to gather information about the system.
All Samsung MagicINFO 9 Server versions prior to 21.1052 are vulnerable to this attack, including systems running the previously considered "secure" 21.1050 version. Additionally, any machines running MagicINFO v8 through v9 21.1050.0 remain affected by this vulnerability and require immediate patching.
Samsung has now released version 21.1052.0, which has been verified by Huntress to successfully mitigate the vulnerability. However, Jamie Levy, director of adversary tactics at Huntress, noted a significant complication with the upgrade process: "upgrading from MagicINFO v8 to v9 21.1052.0 is not as straightforward since you have to first upgrade to 21.1050.0 before applying the final patch."
Organizations using Samsung MagicINFO 9 Server should upgrade immediately to version 21.1052 or later.
