CVE-2025-54450

High

Published: 23 July 2025

Published

23 July 2025

Modified

28 July 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 41.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54450 is a high-severity Path Traversal (CWE-22) vulnerability in Samsung Magicinfo 9 Server. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing MagicINFO server directly enables remote code injection/execution (CWE-22 leading to RCE).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Deeper analysisAI

CVE-2025-54450, published on 2025-07-23, is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified under CWE-22, in Samsung Electronics MagicINFO 9 Server. This flaw allows Code Injection and affects MagicINFO 9 Server versions less than 21.1080.0. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) but no user interaction (UI:N). An attacker with sufficient access can leverage path traversal to inject and execute arbitrary code, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U).

Samsung's security advisory provides details on mitigation, available at https://security.samsungtv.com/securityUpdates.

Details

CWE(s): CWE-22

Affected Products

samsung

magicinfo 9 server

≤ 21.1080.0

CVEs Like This One

CVE-2025-54453Same product: Samsung Magicinfo 9 Server

CVE-2025-54438Same product: Samsung Magicinfo 9 Server

CVE-2025-54443Same product: Samsung Magicinfo 9 Server

CVE-2025-54446Same product: Samsung Magicinfo 9 Server

CVE-2025-54451Same product: Samsung Magicinfo 9 Server

CVE-2025-54440Same product: Samsung Magicinfo 9 Server

CVE-2025-54449Same product: Samsung Magicinfo 9 Server

CVE-2025-54441Same product: Samsung Magicinfo 9 Server

CVE-2025-54448Same product: Samsung Magicinfo 9 Server

CVE-2025-54442Same product: Samsung Magicinfo 9 Server

References

https://security.samsungtv.com/securityUpdates
Vendor Advisory · PSIRT@samsung.com