SRC-2025-0002 : Samsung MagicINFO 9 Server Hard-coded Credentials Local Privilege Escalation Vulnerability

CVE ID: CVE-2025-UNKNOWN

CVSS Score: 8.8, (/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: Samsung

Affected Products: MagicINFO <= 21.1080.0

Vulnerability Details:

This vulnerability allows local attackers to escalate privileges on affected installations of Samsung MagicINFO. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists with the creation of the database account. The product uses a hardcoded password for the magicinfo user. An attacker can leverage this to access the database and exploit the trust between the application and the database resulting in escalated privileges in the context of SYSTEM.

Vendor Response:

Samsung has issued an update to correct this vulnerability. More details can be found at: https://security.samsungtv.com/securityUpdates

Disclosure Timeline:

• 2025-09-02 – Vulnerability reported to [email protected]

• 2025-09-02 – Acknowledgement of submission from the vendor

• 2026-01-28 – Coordinated public release of advisory

Credit: This vulnerability was discovered by Steven Seeley of Source Incite