Samsung Corporation has released a security update for Magicinfo 9 Server to address a critical vulnerability that has already been exploited by hackers in real attacks. The vulnerability, identified as CVE-2025-4632, is a bypass of a previously fixed issue, CVE-2024-7399, which was discovered and patched in August 2024. Despite the initial fix, the new vulnerability allowed attackers to use a similar bypass method, but with different vectors. After Proof-OF-Concept code was published by SSD Disclosure specialists on April 30, 2025, the vulnerability quickly became popular among attackers, with some using it to load components of the Mirai Botnet.
Huntress was the first to observe unusual activity in systems running the latest version of Magicinfo (21.1050.0) where all known vulnerabilities had been patched. Further investigation revealed the presence of CVE-2025-4632, enabling attackers to execute malicious commands on various hosts. Incidents reported by Huntress on May 9 involved unknown groups using the same attack method, allowing for a clear understanding of the intrusion vector and attacker tactics.
Samsung has released an update for Magicinfo 9 Server, version 21.1052.0, to address the CVE-2025-4632 vulnerability. However, users must first install an intermediate update, version 21.1050.0.0, before upgrading to 21.1052.0. This process may pose challenges for some users, particularly those still running Magicinfo versions V8 to V9. Huntress strongly advises users to update to version 21.1052.0 promptly to fully eliminate the CVE-2025-4632 threat. Failure to do so may leave systems vulnerable to attacks involving arbitrary program execution and unauthorized access to infrastructure.