Description
The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1.
Published: 2026-02-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized database access and modification
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from hardcoded database credentials embedded in MagicINFO 9 Server, allowing an authenticated user to log in with a privileged account and manipulate the underlying database. This flaw enables an attacker to read, alter, or delete data, potentially leading to loss of confidentiality, integrity, and availability. The weakness aligns with CWE-798, reflecting the use of fixed credentials that compromise authentication security.

Affected Systems

The affected product is Samsung Electronics MagicINFO 9 Server. All versions older than 21.1090.1 contain the hardcoded credentials and are therefore vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity risk. Although the EPSS score is reported as less than 1%, suggesting low current exploitation probability, the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker who can reach the server's login interface could exploit the hardcoded credentials to gain administrative database access. No explicit evidence indicates remote unauthenticated exploitation; the primary attack vector appears to be local or remote login by an authenticated user.

Generated by OpenCVE AI on April 18, 2026 at 14:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Samsung's published security update, upgrading to version 21.1090.1 or later.
  • After patching, verify that configuration files no longer contain hardcoded credentials and remove any retained privileged accounts.
  • Restrict network exposure of the MagicINFO 9 Server by placing it behind a firewall or VPN, limiting access to trusted administrators only, and enable audit logging to detect unauthorized attempts.

Generated by OpenCVE AI on April 18, 2026 at 14:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Hardcoded Database Credentials in MagicINFO 9 Server Allow Remote Administrative Access

Tue, 10 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung magicinfo 9 Server
CPEs cpe:2.3:a:samsung:magicinfo_9_server:*:*:*:*:*:*:*:*
Vendors & Products Samsung
Samsung magicinfo 9 Server

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Electronics
Samsung Electronics magicinfo 9 Server
Vendors & Products Samsung Electronics
Samsung Electronics magicinfo 9 Server

Mon, 02 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1.
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Samsung Magicinfo 9 Server
Samsung Electronics Magicinfo 9 Server
cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-02-26T15:04:39.986Z

Reserved: 2026-01-30T06:07:11.090Z

Link: CVE-2026-25202

cve-icon Vulnrichment

Updated: 2026-02-02T17:52:19.504Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T05:16:07.280

Modified: 2026-03-10T18:44:22.143

Link: CVE-2026-25202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses