Update – Fixes are now available for the high-severity path traversal zero-day vulnerability, now tracked as CVE-2025-4632, in Samsung MagicINFO 9 Server. Arctic Wolf had previously observed threat activity suspected to be linked to this vulnerability in a previous security bulletin.
On May 13, 2025, Samsung released fixes for CVE-2025-4632, a high-severity path traversal zero-day vulnerability in MagicINFO 9 Server. Arctic Wolf had previously observed suspicious threat activity in the wild affecting the same product shortly after the publication of technical details and a proof-of-concept (PoC) exploit by SSD disclosure. This threat activity is suspected, though not confirmed, to be related to CVE-2025-4632.
The vulnerability described in the SSD disclosure research article allows unauthenticated threat actors to write arbitrary files to the server, which can lead to remote code execution if specially crafted JavaServer Pages (JSP) files are uploaded.
Samsung had patched CVE-2024-7399, a vulnerability which in August 2024 following responsible disclosure by security researchers. However, in May 2025, Huntress demonstrated that the available patch was either incomplete or that a separate vulnerability still existed, as the proof-of-concept exploit continued to work against the latest available version at the time. Threat actors are likely to keep targeting vulnerable instances while organizations work to apply the latest fixed version.
Arctic Wolf will continue to monitor for malicious post-compromise activities related to this vulnerability, and will alert Managed Detection and Response customers as required when malicious activities are observed.
Recommendations for CVE-2025-4632
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version, as described on Samsung’s site.
| Product | Affected Version | Fixed Version |
| Samsung MagicInfo 9 Server | Versions prior to 21.1052 | 21.1052 |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Remove Publicly-Exposed Instances of Samsung MagicINFO 9 Server From the Internet
As a security best practice, Arctic Wolf strongly recommends ensuring that any Samsung MagicINFO 9 Server instances are not exposed to the public internet. Although a patch is now available, to minimize the risk of future vulnerabilities, Arctic Wolf continues to advise keeping such services non-internet-facing unless absolutely necessary.
