Samsung Addresses CVE-2025-4632, Exploited in the Wild for Mirai Botnet Deployment Through MagicINFO 9 Vulnerability

May 14, 2025
Vulnerability / Malware

Samsung has issued software updates to fix a critical security vulnerability in MagicINFO 9 Server that has been actively targeted. Identified as CVE-2025-4632 (CVSS score: 9.8), this path traversal flaw allows attackers to write arbitrary files with system-level permissions. According to the advisory, the vulnerability arises from “improper limitation of a pathname to a restricted directory” in versions before 21.1052 of the MagicINFO 9 Server. Notably, CVE-2025-4632 serves as a patch bypass for a previously addressed vulnerability, CVE-2024-7399, which was mitigated by Samsung in August 2024. Shortly after a proof-of-concept was released by SSD Disclosure on April 30, 2025, CVE-2025-4632 began to be exploited in the wild, with reports of it being used to deploy the Mirai botnet. Initial investigations into these attacks mistakenly pointed to CVE-2024-7399, but cybersecurity firm Huntress later clarified the situation.

Samsung Addresses Critical Vulnerability in MagicINFO 9 Server Used by Attackers

May 14, 2025

In a significant security update, Samsung has released patches to address a critical vulnerability identified as CVE-2025-4632, which affects the MagicINFO 9 Server. This vulnerability, which scores a staggering 9.8 on the Common Vulnerability Scoring System (CVSS), is classified as a path traversal flaw. The advisory from Samsung details that the issue arises from an improper restriction of pathnames to designated directories, enabling unauthorized users to write arbitrary files with system-level privileges.

The origin of CVE-2025-4632 appears to be a patch bypass for a related vulnerability, CVE-2024-7399, which was previously fixed by Samsung in August 2024. Following the release of a proof-of-concept exploit by SSD Disclosure on April 30, 2025, this new vulnerability was quickly exploited in the wild. Reports indicate that attackers have utilized this flaw to deploy the notorious Mirai botnet, demonstrating its potential for widespread impact.

While initial assessments suggested that the attacks might focus solely on the earlier CVE-2024-7399, cybersecurity firm Huntress has brought to light the extent of the exploitation surrounding CVE-2025-4632. This highlights a concerning trend in cybersecurity, where vulnerabilities can be iteratively exploited even after patches have been applied.

The targets of these attacks include organizations utilizing the MagicINFO 9 Server, which is prevalent among sectors relying on digital signage and multimedia management. Given that Samsung is a global technology provider, the affected user base is likely to be diverse, including numerous enterprises based in the United States.

Analyzing the tactics and techniques employed during these attacks through the lens of the MITRE ATT&CK framework, it is evident that adversaries utilized several key strategies. Initial access would typically involve exploiting the path traversal vulnerability to gain unauthorized access to the system. Subsequently, the attackers may have implemented persistence techniques to maintain their foothold within the affected environment, allowing for ongoing control over the compromised systems.

Privilege escalation is another critical component of these attacks, especially given that the vulnerability permits file writing with system authority. Once access has been gained, adversaries can deploy malware, such as the Mirai botnet, which is designed to recruit compromised devices into a larger network for abusive purposes. This underscores the importance for organizations to implement robust security measures and remain vigilant following patch releases.

As cybersecurity threats evolve, it remains crucial for businesses to stay informed about vulnerabilities and the corresponding patches. The exploitation of CVE-2025-4632 serves as a reminder of the ongoing risks associated with software vulnerabilities and the necessity for prompt action following updates from vendors like Samsung. Business owners must prioritize a proactive cybersecurity posture to safeguard their critical assets against potential threats.

Source link

Related Posts

Russia-Linked APT28 Exploits MDaemon Zero-Day to Target Government Webmail Servers

May 15, 2025
Vulnerability / Email Security

A cyber espionage operation associated with a Russian threat actor is reportedly compromising webmail servers, including Roundcube, Horde, MDaemon, and Zimbra, by exploiting cross-site scripting (XSS) vulnerabilities, notably a zero-day flaw in MDaemon. This activity, coded as Operation RoundPress by ESET, began in 2023 and has been linked with moderate confidence to the state-sponsored hacking group APT28, also known by various names such as BlueDelta, Fancy Bear, and Sednit.

“The primary objective of this operation is to extract sensitive data from targeted email accounts,” stated ESET researcher Matthieu Faou in a report shared with The Hacker News. “While most victims are governmental and defense entities in Eastern Europe, we have also noted targets across Africa, Europe, and beyond.”

New Intel CPU Vulnerabilities Uncovered: Memory Leaks and Spectre v2 Exploits Persist

May 16, 2025
Hardware Security / Vulnerability

Researchers at ETH Zürich have identified a critical new security flaw that affects all modern Intel CPUs, allowing the leakage of sensitive data from memory. This latest vulnerability, dubbed Branch Privilege Injection (BPI), showcases that the Spectre threat continues to impact computer systems over seven years after its initial discovery. According to ETH Zürich, BPI can be exploited to manipulate the CPU’s prediction calculations, granting unauthorized access to information from other users on the same processor. Kaveh Razavi, head of the Computer Security Group (COMSEC) and a co-author of the study, noted that this flaw affects all Intel processors, potentially allowing malicious actors to access the cache contents and working memory of different users sharing the CPU. The attack exploits Branch Predictor Race Conditions (BPRC), which arise when a processor alternates between prediction calculations for multiple users.

Security Flaw in AWS Default IAM Roles Threatens Lateral Movement and Cross-Service Exploitation

Researchers in cybersecurity have identified concerning default identity and access management (IAM) roles within Amazon Web Services (AWS) that could potentially allow attackers to escalate privileges, manipulate other AWS services, and even compromise accounts entirely. According to Aqua researchers Yakir Kadkoda and Ofek Itach, “These roles, typically created automatically or suggested during setup, grant excessively broad permissions, including full access to S3.” They warn that these default roles create silent attack vectors for privilege escalation and cross-service access, leading to possible account breaches. The cloud security firm pinpointed vulnerabilities in default IAM roles established by AWS services such as SageMaker, Glue, EMR, and Lightsail. A similar issue has also been detected in the widely-used open-source framework Ray, which generates a default IAM role (ray-autoscaler-v1) that includes the AmazonS3FullAccess policy.

Russian Hackers Target Ukraine Aid Logistics Through Email and VPN Vulnerabilities

May 21, 2025
Cyber Espionage / Vulnerability

State-sponsored Russian cyber actors have been linked to a campaign focused on Western logistics and tech firms since 2022. This activity is attributed to APT28 (also known as BlueDelta, Fancy Bear, or Forest Blizzard), connected to the Russian GRU’s 85th Main Special Service Center, Military Unit 26165. Key targets include companies involved in the coordination and delivery of international aid to Ukraine, as highlighted in a joint advisory from agencies across Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. The bulletin notes that this cyber-espionage campaign employs a range of previously identified tactics and is likely linked to broader efforts aimed at IP cameras in Ukraine and neighboring NATO countries.