CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-54440

CVSS 9.8v3.1pub. 2025-07-23upd. 2025-07-30

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and results from insufficient validation of uploaded file types in Samsung MagicINFO 9 Server. An attacker can upload a file containing malicious code (such as a webshell or other executable payload) without requiring authentication or user interaction. After the file is uploaded, the server may process or execute it, resulting in arbitrary code execution in the context of the application.

Impact

Successful exploitation of this vulnerability allows an attacker to gain complete control over the server, including reading and modifying data (confidentiality, integrity) and potentially disrupting service availability. The vulnerability may lead to deeper compromise of network infrastructure.

Mitigation & patch

Samsung MagicINFO 9 Server should be immediately updated to version 21.1080.0 or newer. Detailed patch information is available at https://security.samsungtv.com/securityUpdates. Until the update is implemented, it is recommended to restrict network access to the server interface exclusively to trusted hosts and monitor suspicious activity related to file uploads.

Who is affected

Samsung MagicINFO 9 Server in versions prior to 21.1080.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Samsung Magicinfo 9 Server

    APP
    Samsung
    < 21.1080.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-4632CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server — zapis plików jako SYSTEM

CVE-2026-25200CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — Stored XSS przez upload plików HTML

CVE-2026-25202CRITICAL9.8PL ✓ten sam produkt

Zakodowane na stałe dane logowania do bazy danych w Samsung MagicINFO 9 Server

CVE-2025-54438CRITICAL9.8PL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server umożliwia wgranie web shell

CVE-2025-54442CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection