Magicinfo 9 Server
CVE-2026-25201
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1.
AnalysisAI
Remote code execution in MagicInfo 9 Server (versions prior to 21.1090.1) allows unauthenticated attackers to upload arbitrary files without authentication, resulting in complete system compromise with high confidentiality, integrity, and availability impact. The vulnerability enables privilege escalation and requires only user interaction to trigger. No patch is currently available for this critical flaw affecting all vulnerable MagicInfo 9 Server installations.
Technical ContextAI
Classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). Affects Magicinfo 9 Server. An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1.
RemediationAI
Monitor vendor advisories for a patch. Validate file types by content. Store uploads outside web root. Restrict network access to the affected service where possible.
More in Magicinfo 9 Server
View allSamsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary
Unauthenticated file upload leading to stored XSS and potential RCE in Samsung MagicInfo9 Server. HTML files uploaded wi
Hardcoded database credentials in Samsung MagicInfo9 Server allow direct database access and manipulation.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today