Description
An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server.
This issue affects MagicINFO 9 Server: less than 21.1090.1.
Published: 2026-02-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The flaw allows an unauthenticated user to upload arbitrary files, enabling remote code execution and privilege escalation through the MagicInfo9 Server web interface. This is a high‑severity file‑upload vulnerability (CWE-434). The impact spans the entire affected instance, potentially giving attackers full control over the server and data it hosts.

Affected Systems

Samsung Electronics' MagicINFO 9 Server is vulnerable when its version is lower than 21.1090.1. No other vendor or product is listed as affected. All installations running an earlier version carry the same risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, and the EPSS score of less than 1% suggests low, but non‑zero, likelihood of current exploitation. The issue is not listed in the CISA KEV catalog, meaning no public exploitation evidence is reported yet. The attack path is straightforward: an unauthenticated user uploads a crafted file via the server’s file‑upload endpoint; because the application accepts any file type, an attacker can place a malicious script that the server will later execute, granting full administrative privileges.

Generated by OpenCVE AI on April 18, 2026 at 00:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MagicINFO 9 Server to version 21.1090.1 or later once the vendor releases a patch.
  • If an upgrade is delayed, block or disable the file‑upload functionality on the web interface or enforce strict file‑type checks so that only approved media files are accepted.
  • Apply network segmentation and firewall rules to restrict access to the MagicINFO server to trusted IP addresses or internal networks.
  • Review and monitor application logs for unauthorized upload attempts.

Generated by OpenCVE AI on April 18, 2026 at 00:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung magicinfo 9 Server
CPEs cpe:2.3:a:samsung:magicinfo_9_server:*:*:*:*:*:*:*:*
Vendors & Products Samsung
Samsung magicinfo 9 Server

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Electronics
Samsung Electronics magicinfo 9 Server
Vendors & Products Samsung Electronics
Samsung Electronics magicinfo 9 Server

Mon, 02 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1.
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Samsung Magicinfo 9 Server
Samsung Electronics Magicinfo 9 Server
cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-02-26T15:04:40.332Z

Reserved: 2026-01-30T06:07:11.090Z

Link: CVE-2026-25201

cve-icon Vulnrichment

Updated: 2026-02-02T17:53:24.451Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T05:16:06.697

Modified: 2026-03-10T18:44:05.213

Link: CVE-2026-25201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:00:11Z

Weaknesses