CVE-2025-4632

CRITICAL KEV NUCLEI

Samsung MagicINFO <21.1052 - Path Traversal

Title source: llm

Description

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.

Exploits (1)

nomisec STUB

by MantisToboggan-git · poc

https://github.com/MantisToboggan-git/CVE-2025-4632-POC

View Code ZIP pw:eip

Nuclei Templates (1)

Samsung MagicINFO 9 Server - File Upload & Remote Code Execution

CRITICALby s4e-io

Shodan: Server: magicinfo premium server

References (2)

[Patch, Vendor Advisory] https://security.samsungtv.com/securityUpdates#SVP-MAY-2025

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-4632

Scores

CVSS v3 9.8

EPSS 0.4916

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2025-05-22

VulnCheck KEV 2025-05-06

ENISA EUVD EUVD-2025-14362

CWE

CWE-22

Status published

Products (1)

samsung/magicinfo_9_server < 21.1052.0

Published May 13, 2025

KEV Added May 22, 2025

Tracked Since Feb 18, 2026