18 Serious Flaws (CVSS up to 9.8) Expose Samsung MagicINFO 9 Servers to Full Compromise

Samsung’s widely used MagicINFO 9 Server, a digital signage management platform, was found multi security vulnerabilities. Security researchers have disclosed 18 serious flaws in the platform—some with CVSS scores as high as 9.8—enabling threat actors to launch a variety of high-impact attacks, from code injection and web shell uploads to authentication bypass using hard-coded credentials.

All 18 vulnerabilities affect MagicINFO 9 Server versions prior to 21.1080.0, prompting urgent patching recommendations.

Samsung MagicINFO is a centralized solution used to create, schedule, distribute, and monitor digital signage content. From retail to transportation hubs, it’s a backbone for screen-based communication. That wide deployment footprint makes these vulnerabilities especially dangerous.

Below are key categories among the vulnerabilities, along with notable CVEs and their impact:

Remote Code Execution via File Upload

A large portion of the vulnerabilities revolve around unrestricted upload of files with dangerous types, which allows arbitrary code injection on the server.

• CVE-2025-54439, CVE-2025-54444, CVE-2025-54440, CVE-2025-54441, CVE-2025-54442, CVE-2025-54448, CVE-2025-54449
  • All scored CVSS 8.8 – 9.8
  • These allow attackers to upload files like .jsp or .exe and execute malicious code on the server.

Path Traversal and Web Shell Upload

Three separate vulnerabilities allow path traversal attacks, enabling adversaries to place web shells outside of intended directories:

• CVE-2025-54438, CVE-2025-54443, CVE-2025-54446
  • Improper Limitation of a Pathname to a Restricted Directory makes it possible to upload a web shell directly to the web server’s executable path, effectively giving the attacker remote access.

Authentication Bypass and Hard-Coded Credentials

Two CVEs expose weak authentication mechanisms:

• CVE-2025-54454, CVE-2025-54455 (CVSS 9.1)
  • These vulnerabilities rely on hard-coded credentials, allowing attackers to completely bypass authentication.
• CVE-2025-54452 (CVSS 7.3)
  • An improper authentication flaw that could let attackers impersonate legitimate users.

XML External Entity (XXE) Injection and SSRF

• CVE-2025-54445 (CVSS 8.2)
  • This vulnerability allows Server-Side Request Forgery (SSRF), potentially exposing internal services or sensitive files.

Other Notables

• CVE-2025-54450, CVE-2025-54453, CVE-2025-54451
  • Covering a mix of code generation issues and additional path traversal flaws.

When combined, these vulnerabilities form a highly exploitable attack surface that could be leveraged in chained attacks. For example, attackers could:

• Bypass authentication using hard-coded credentials (CVE-2025-54454)
• Upload a web shell via path traversal (CVE-2025-54438)
• Inject code or execute commands with elevated privileges (CVE-2025-54444)

For organizations that expose MagicINFO servers to the internet—or connect them to internal networks with sensitive data—the consequences could be critical.

Samsung users must immediately upgrade to MagicINFO 9 Server version 21.1080.0 or later.

Related Posts:

• CVE-2024-7399: Samsung MagicINFO Vulnerability Now Actively Exploited in the Wild
• Critical CVE-2025-4632 Flaw in Samsung MagicINFO Puts Global Signage Networks at Risk
• Samsung allegedly hit by hackers
• The Dark Side of ChatGPT: Trade Secret Leaks in Samsung
• Samsung Boosts Bug Bounty Program: $1 Million Top Prize for Mobile Vulnerabilities