A critical vulnerability has been identified in Samsung MagicINFO 9 Server, assigned a CVSS score of 9.8. This flaw allows an unauthenticated attacker to upload malicious HTML files, which can lead to a stored cross-site scripting (XSS) attack, resulting in the complete takeover of administrator accounts and compromise of the server. Organizations are urged to apply the necessary updates immediately to mitigate the significant risk of system compromise.

The vulnerability exists due to an improper access control check on a file upload function within the MagicINFO 9 Server. An unauthenticated remote attacker can bypass security restrictions and upload a specially crafted HTML file containing malicious JavaScript code. When an authenticated user, particularly an administrator, accesses the section of the web interface that renders this file, the embedded script executes within their browser context, leading to a stored cross-site scripting (XSS) attack. This allows the attacker to steal the administrator's session cookies, hijack their session, and gain full administrative control over the server.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a severe risk to the organization. Successful exploitation could lead to a complete compromise of the MagicINFO server, allowing an attacker to manipulate digital signage content, access or exfiltrate any data managed by the server, and potentially use the compromised system as a launchpad for further attacks into the internal network. The potential consequences include significant reputational damage, operational disruption, and data breach, making immediate remediation a top priority.

Immediate Action: Immediately update all vulnerable instances of Samsung MagicINFO 9 Server to version 21.1090.1 or the latest version provided by the vendor. After patching, review server access logs and file system directories for any suspicious HTML files or unauthorized access attempts that may have occurred prior to the update.

Proactive Monitoring: Monitor web server and application logs for anomalous file upload attempts, especially for .html or .js files directed at unexpected endpoints. Network monitoring should be configured to detect and alert on unusual outbound connections from the MagicINFO server, which could indicate a successful compromise. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads and unauthorized file uploads.

Compensating Controls: If immediate patching is not feasible, restrict network access to the MagicINFO server's management interface to a limited set of trusted IP addresses. Deploy a WAF with strict rules to block HTML file uploads and filter for common XSS attack vectors as a temporary mitigating measure until the patch can be applied.

Public Exploit Available: false

Given the critical severity of this vulnerability, immediate action is required. All organizations using the affected versions of Samsung MagicINFO 9 Server must prioritize applying the security update to version 21.1090.1 or later. Although this CVE is not currently on the CISA KEV list, its high-impact nature makes it a prime candidate for future inclusion and a significant target for attackers. Proactive patching is the most effective strategy to prevent a potential system compromise.