CVE-2026-25200
Published: 02 February 2026
Summary
CVE-2026-25200 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Samsung Magicinfo 9 Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates content of uploaded HTML files to ensure consistency with expected format and syntax, preventing injection of malicious scripts for stored XSS.
Filters information output from the server to block execution of injected XSS payloads in victims' browsers, mitigating account takeover.
Requires timely remediation of the specific flaw by upgrading MagicINFO 9 Server to version 21.1090.1 or later as provided by the vendor.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web app directly enables T1190 exploitation; facilitates T1185 browser session hijacking and T1539 web session cookie theft via malicious script execution for account takeover.
NVD Description
A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1.
Deeper analysisAI
CVE-2026-25200 is a stored cross-site scripting (XSS) vulnerability in MagicINFO 9 Server versions prior to 21.1090.1. The flaw allows authorized users to upload HTML files without authentication, enabling the injection of malicious scripts that persist and execute in the context of other users' browsers. It has been assigned CWE-434 and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, lack of required privileges or user interaction, and potential for high impact on confidentiality, integrity, and availability. The vulnerability was published on 2026-02-02.
Attackers can exploit this vulnerability remotely over the network without authentication or privileges, despite the description referencing authorized users, as confirmed by the PR:N vector in the CVSS score. By uploading a malicious HTML file containing XSS payloads, an attacker can achieve stored XSS that executes when other users, including administrators, access affected pages. This can lead to account takeover by stealing session cookies, credentials, or performing unauthorized actions on behalf of victims.
Samsung provides security updates and mitigation guidance for this issue at https://security.samsungtv.com/securityUpdates. Affected systems should be upgraded to MagicINFO 9 Server version 21.1090.1 or later to address the vulnerability.
Details
- CWE(s)