Local Privilege Escalation in Samsung MagicINFO 9 Server (CVE‑2026‑25203) Enables SYSTEM‑Level Code Execution
What It Is – Samsung MagicINFO 9 Server contains an installer‑level flaw that grants a low‑privileged user write access to a critical folder. An attacker who can run code as a normal user can leverage the mis‑configured permissions to elevate to the Windows SYSTEM account and run arbitrary code.
Exploitability – The vulnerability is locally exploitable; no public exploit code has been released, but the required steps (low‑privilege code execution followed by folder abuse) are straightforward. CVSS 7.8 (High).
Affected Products – Samsung MagicINFO 9 Server (all versions prior to 21.1091.1).
TPRM Impact –
- Third‑party deployments of Samsung’s digital‑signage platform may become a foothold for attackers to pivot into corporate networks.
- Compromise of the MagicINFO server can expose internal media assets, configuration files, and potentially allow lateral movement to other on‑premise systems.
Recommended Actions –
- Patch immediately to version 21.1091.1 or later.
- Verify that the installation folder permissions are restricted to the service account only.
- Conduct a privilege‑escalation audit on any remaining legacy MagicINFO instances.
- Update third‑party risk registers to reflect the new vulnerability and re‑evaluate any contracts that rely on MagicINFO for critical communications.
- Monitor endpoint logs for unexpected service‑account activity or execution of unsigned binaries in the MagicINFO directory.