CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-25202

CVSS 9.8v3.1pub. 2026-02-02upd. 2026-03-10

The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1.

🤖 AI Analysis
How it works

The vulnerability results from the use of static, hard-coded database credentials embedded in the application code (CWE-798 — Use of Hard-coded Credentials). An attacker who learns these credentials — for example through analysis of application files or publicly available information — can directly connect to the server database. The connection is possible without any authentication on the attacker's side, as the hard-coded credentials present in the application are sufficient. After gaining access, the attacker can read, modify, or delete data stored in the database.

Impact

Attackers gain full access to the MagicINFO 9 Server database, allowing them to read confidential data, modify it, or delete it, and consequently may lead to complete takeover of the digital signage system.

Mitigation & patch

Samsung MagicINFO 9 Server should be updated to version 21.1090.1 or newer. Detailed information about available patches is available from the vendor at: https://security.samsungtv.com/securityUpdates

Who is affected

Samsung MagicINFO 9 Server in all versions older than 21.1090.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Samsung Magicinfo 9 Server

    APP
    Samsung
    < 21.1090.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-4632CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server — zapis plików jako SYSTEM

CVE-2026-25200CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — Stored XSS przez upload plików HTML

CVE-2025-54438CRITICAL9.8PL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server umożliwia wgranie web shell

CVE-2025-54440CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection

CVE-2025-54442CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection