Samsung has issued urgent updates to fix a critical security vulnerability in its MagicINFO 9 Server software that has been actively exploited in real-world attacks. Tracked as CVE-2025-4632 and rated 9.8 on the CVSS scale, the flaw is a path traversal vulnerability that allows attackers to write arbitrary files with system-level privileges.

According to Samsung’s security advisory, the vulnerability affects MagicINFO 9 Server versions prior to 21.1052, and stems from insufficient restrictions on file pathnames. Notably, CVE-2025-4632 is a patch bypass for an earlier flaw, CVE-2024-7399, which Samsung addressed in August 2024.

Shortly after security firm SSD Disclosure published a proof-of-concept exploit on April 30, 2025, the vulnerability began to be abused in the wild. Some attackers even used it to deploy the Mirai botnet, a notorious malware strain used to create large-scale distributed denial-of-service (DDoS) attacks on IOT devices.

Initially, it was believed that the attacks were targeting the older CVE-2024-7399 flaw. However, cybersecurity firm Huntress discovered that even servers running the most recent version at the time (21.1050) were being compromised. This led to the identification of the previously unknown CVE-2025-4632.

In a detailed analysis released on May 9, Huntress documented three separate attack incidents. In two of them, attackers downloaded and executed malicious payloads such as “srvany.exe” and “services.exe”, while in the third, they performed reconnaissance commands.

Samsung urges all MagicINFO 9 Server users to update to version 21.1052.0, which effectively mitigates the issue. Huntress’s director of adversary tactics, Jamie Levy, confirmed that this version addresses the vulnerability. However, upgrading isn’t simple for all users—those running MagicINFO v8 must first transition to v9 21.1050.0 before they can apply the latest patch.

Given the active exploitation and potential for further attacks, applying the security update promptly is strongly recommended.