CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-54443

CVSS 9.8v3.1pub. 2025-07-23upd. 2025-07-30

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0

🤖 AI Analysis
How it works

The vulnerability consists of lack of proper file path restriction to allowed directories (CWE-22 — path traversal). An attacker can upload a file outside the designated target directory by placing it in a location accessible through the web server. This makes it possible to upload a web shell — a malicious script executed server-side — without requiring any authentication (PR:N, UI:N in the CVSS vector).

Impact

Attacker gains the ability to remotely execute arbitrary code on the server through the uploaded web shell, which may lead to complete system takeover, data breach, configuration modification, or further lateral movement in the network.

Mitigation & patch

Samsung MagicINFO 9 Server must be immediately updated to version 21.1080.0 or later. Patch details are available from the vendor at: https://security.samsungtv.com/securityUpdates

Who is affected

Samsung MagicINFO 9 Server in all versions prior to 21.1080.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Samsung Magicinfo 9 Server

    APP
    Samsung
    < 21.1080.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2025-4632CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server — zapis plików jako SYSTEM

CVE-2026-25200CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — Stored XSS przez upload plików HTML

CVE-2026-25202CRITICAL9.8PL ✓ten sam produkt

Zakodowane na stałe dane logowania do bazy danych w Samsung MagicINFO 9 Server

CVE-2025-54438CRITICAL9.8PL ✓ten sam produkt

Path Traversal w Samsung MagicINFO 9 Server umożliwia wgranie web shell

CVE-2025-54440CRITICAL9.8PL ✓ten sam produkt

Samsung MagicINFO 9 Server — nieograniczony upload pliku umożliwia Code Injection