CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-54442

CVSS 9.8v3.1pub. 2025-07-23upd. 2025-07-30

Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0.

🤖 AI Analysis
How it works

The vulnerability (CWE-434) consists of the lack of proper validation and restrictions on the types of files uploaded in the MagicINFO 9 Server application. An attacker can send a network request containing a file of a dangerous type (e.g., a server-side executable script) without needing to have any permissions. After upload, the server may process or execute such a file, resulting in code injection and execution in the context of the server process.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely on the server (RCE), and as a consequence, gain full control over the system, including violation of data confidentiality, integrity, and availability.

Mitigation & patch

Samsung MagicINFO 9 Server must be updated immediately to version 21.1080.0 or later. Detailed information about available patches is available in the manufacturer's references: https://security.samsungtv.com/securityUpdates

Who is affected

Samsung MagicINFO 9 Server in all versions prior to 21.1080.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Samsung Magicinfo 9 Server

    APP
    Samsung
    < 21.1080.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-4632CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server — zapis plików jako SYSTEM

CVE-2026-25200CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — Stored XSS przez upload plików HTML

CVE-2026-25202CRITICAL9.8PL ✓ten sam produkt

Zakodowane na stałe dane logowania do bazy danych w Samsung MagicINFO 9 Server

CVE-2025-54438CRITICAL9.8PL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server umożliwia wgranie web shell

CVE-2025-54440CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection