Magicinfo 9 Server
CVE-2025-4632
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.
AnalysisAI
Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary files as SYSTEM authority, enabling complete server compromise.
Technical ContextAI
The CWE-22 improper path limitation allows writing files to arbitrary locations on the server filesystem. The write operation executes with SYSTEM authority, enabling creation of executable files in system directories.
RemediationAI
Update to version 21.1052+. Restrict network access to MagicINFO management interfaces. Scan for unauthorized files on the server.
More in Magicinfo 9 Server
View allUnauthenticated file upload leading to stored XSS and potential RCE in Samsung MagicInfo9 Server. HTML files uploaded wi
Hardcoded database credentials in Samsung MagicInfo9 Server allow direct database access and manipulation.
Remote code execution in MagicInfo 9 Server (versions prior to 21.1090.1) allows unauthenticated attackers to upload arb
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today