THE article, published on 5 February 2026, reports that Samsung’s MagicInfo9 Server has three critical vulnerabilities that could allow unauthenticated attackers to take over affected systems.
It highlights CVE-2026-25202 (CVSS 9.8) as a hardcoded credential flaw that lets attackers login and manipulate the database, CVE-2026-25201 (CVSS 8.8) as a remote code execution risk enabling unauthenticated file uploads to run code, and CVE-2026-25200 (CVSS 9.8) that permits uploading HTML files without authentication, leading to Stored XSS and potential account takeover.
The flaws affect all MagicInfo 9 Server versions prior to 21.1090.1, exposing public displays to not just defacement but total network compromise. Samsung has addressed these issues in the latest update, and administrators are advised to upgrade to version 21.1090.1 or later to remove the hardcoded credentials and close the upload loopholes.