Cyber Posture

CVE-2025-54446

Critical

Published: 23 July 2025

Published
23 July 2025
Modified
28 July 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54446 is a critical-severity Path Traversal (CWE-22) vulnerability in Samsung Magicinfo 9 Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of untrusted file path inputs in uploads to block path traversal sequences like '../' and prevent web shell placement outside restricted directories.

SC-7 Boundary Protection good match
prevent

Boundary protection at web server interfaces enables inspection and blocking of path traversal payloads in remote upload requests via WAF or similar mechanisms.

AC-3 Access Enforcement partial match
prevent

Enforces logical access controls on directories to restrict unauthorized writes, mitigating damage even if partial path traversal occurs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing server directly enables remote unauthenticated web shell upload/execution (T1190 + T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0

Deeper analysisAI

CVE-2025-54446 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, mapped to CWE-22, in Samsung Electronics MagicINFO 9 Server. It affects versions less than 21.1080.0 and enables attackers to upload a web shell to the web server due to inadequate path validation.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is highly severe and remotely exploitable over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows uploading and executing a web shell, granting high-impact control over confidentiality, integrity, and availability of the affected server.

Samsung's security advisory at https://security.samsungtv.com/securityUpdates provides details on mitigation. Practitioners should upgrade to MagicINFO 9 Server version 21.1080.0 or later, where the issue is addressed.

Details

CWE(s)
CWE-22

Affected Products

samsung
magicinfo 9 server
≤ 21.1080.0

CVEs Like This One

CVE-2025-54443Same product: Samsung Magicinfo 9 Server
CVE-2025-54453Same product: Samsung Magicinfo 9 Server
CVE-2025-54450Same product: Samsung Magicinfo 9 Server
CVE-2025-54438Same product: Samsung Magicinfo 9 Server
CVE-2025-54441Same product: Samsung Magicinfo 9 Server
CVE-2025-54448Same product: Samsung Magicinfo 9 Server
CVE-2025-54442Same product: Samsung Magicinfo 9 Server
CVE-2025-54439Same product: Samsung Magicinfo 9 Server
CVE-2025-54444Same product: Samsung Magicinfo 9 Server
CVE-2025-54451Same product: Samsung Magicinfo 9 Server

References