Samsung MagicINFO 9 Server Local Privilege Escalation Vulnerability Patched (CVE-2026-25203)

Samsung has released a security update for its MagicINFO 9 Server software to address a local privilege escalation vulnerability that could allow an attacker to gain full SYSTEM-level control of an affected system. The flaw, assigned CVE-2026-2026-25203 and disclosed by Trend Micro's Zero Day Initiative (ZDI), carries a CVSS score of 7.8, indicating high severity.

The vulnerability stems from incorrect default permissions on a folder used by the MagicINFO 9 Server installer. According to the ZDI advisory, an attacker who first obtains the ability to execute low-privileged code on the target system can exploit this misconfiguration to escalate privileges and execute arbitrary code in the context of SYSTEM. This means that even if an attacker has only limited access to a machine, they can leverage this flaw to take complete control.

The issue was discovered by Bobby Gould of Trend Micro's Zero Day Initiative, who reported it to Samsung on December 16, 2025. Samsung has addressed the vulnerability in MagicINFO 9 Server version 21.1091.1, which is available via the Samsung security updates portal at https://security.samsungtv.com/securityUpdates. The coordinated public disclosure occurred on April 15, 2026.

MagicINFO 9 Server is a digital signage content management platform used by businesses to manage displays in retail, hospitality, and corporate environments. While the vulnerability requires local access to exploit, it poses a significant risk in shared or multi-tenant environments where low-privileged users or compromised applications could use it to gain full system compromise.

Organizations running Samsung MagicINFO 9 Server should prioritize updating to version 21.1091.1 or later. As a general best practice, administrators should also review folder permissions on the server and limit local user privileges to reduce the attack surface for such escalation flaws.