Blog Details

Hackers are exploiting an unauthenticated far away code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware.

Samsung MagicINFO Server is a centralized recount material administration device (CMS) aged to remotely manage and withhold an eye on digital signage displays made by Samsung. It is aged by retail stores, airports, hospitals, company buildings, and eating areas, where there might possibly be a must time table, distribute, show, and notice multimedia recount material.

The server factor ingredients a file add performance intended for updating show recount material, however hackers are abusing it so that you simply might possibly possibly add malicious code.

The flaw, tracked below CVE-2024-7399, became as soon as first publicly disclosed in August 2024 when it became as soon as fixed as piece of the launch of version 21.1050.

The dealer described the vulnerability as an “Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server [that] allows attackers to write arbitrary file as system authority.” 

On April 30, 2025, safety researchers at SSD-Disclosure printed a detailed write-up alongside with a proof-of-thought (PoC) exploit that achieves RCE on the server with out any authentication the utilization of a JSP web shell.

The attacker uploads a malicious .jsp file by an unauthenticated POST quiz, exploiting course traversal to site it in a web based-accessible site.

By visiting the uploaded file with a cmd parameter, they’ll pause arbitrary OS instructions and notice the output in the browser.

Arctic Wolf now stories that the CVE-2024-7399 flaw is actively exploited in assaults a pair of days after the PoC’s launch, indicating that probability actors adopted the disclosed attack manner in staunch operations.

“Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability,” warned Arctic Wolf.

One other absorbing exploitation confirmation comes from probability analyst Johannes Ullrich, who reported seeing a Mirai botnet malware variant leveraging CVE-2024-7399 to rob over devices.

Given the absorbing exploitation subject of the flaw, it is far strongly instructed that device directors rob on the spot action to patch CVE-2024-7399 by upgrading the Samsung MagicINFO Server to version 21.1050 or later.

Change 5/7 – There might possibly be some debase as as to whether or now not or now not the flaw focused by SSD-Disclosure’s PoC is truly CVE-2024-7399 or an unfixed zero-day vulnerability, with HuntressLabs safety researchers reporting that Samsung’s bring collectively portal doesn’t even provide the most contemporary firmware version when trying to bring collectively it from the legit site.