CVE-2025-54450
Published: 23 July 2025
Summary
CVE-2025-54450 is a high-severity Path Traversal (CWE-22) vulnerability in Samsung Magicinfo 9 Server. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-54450, published on 2025-07-23, is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified under CWE-22, in Samsung Electronics MagicINFO 9 Server. This flaw allows Code Injection and affects MagicINFO 9 Server versions less than 21.1080.0. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) but no user interaction (UI:N). An attacker with sufficient access can leverage path traversal to inject and execute arbitrary code, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U).
Samsung's security advisory provides details on mitigation, available at https://security.samsungtv.com/securityUpdates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22410
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing MagicINFO server directly enables remote code injection/execution (CWE-22 leading to RCE).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of file/path inputs to block the CWE-22 path traversal that enables code injection.
Limits privileges of accounts that could otherwise exploit the high-privilege path traversal vector described in the CVE.
Detects unauthorized code or file modifications resulting from successful path traversal and injection.