CVE-2025-4632 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Samsung MagicINFO 9 Server Path Traversal Vulnerability

Exploit added

May 22, 2025

Action due

June 12, 2025

Action required

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.

References

https://security.samsungtv.com/securityUpdates#SVP-MAY-2025

Weakness Enumeration

CWE-ID	CWE Name
CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Known Affected Software Configurations

cpe:2.3:a:samsung:magicinfo_9_server:21.1000.3:::::::*
cpe:2.3:a:samsung:magicinfo_9_server:21.1010.2:::::::*
cpe:2.3:a:samsung:magicinfo_9_server:21.1020.0:::::::*
cpe:2.3:a:samsung:magicinfo_9_server:21.1030.0:::::::*
cpe:2.3:a:samsung:magicinfo_9_server:21.1040.2:::::::*
cpe:2.3:a:samsung:magicinfo_9_server:21.1040.3:::::::*
cpe:2.3:a:samsung:magicinfo_9_server:-:::::::*
cpe:2.3:a:samsung:magicinfo_9_server:21.1050.0:::::::*

Details

Source:
NVD

Published:
May 13, 2025

Updated:
May 27, 2025

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined