Article Details
Scrape Timestamp (UTC): 2025-05-06 17:15:07.086
Original Article Text
Click to Toggle View
Samsung MagicINFO 9 Server RCE flaw now exploited in attacks. Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. Samsung MagicINFO Server is a centralized content management system (CMS) used to remotely manage and control digital signage displays made by Samsung. It is used by retail stores, airports, hospitals, corporate buildings, and restaurants, where there's a need to schedule, distribute, display, and monitor multimedia content. The server component features a file upload functionality intended for updating display content, but hackers are abusing it to upload malicious code. The flaw, tracked under CVE-2024-7399, was first publicly disclosed in August 2024 when it was fixed as part of the release of version 21.1050. The vendor described the vulnerability as an "Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server [that] allows attackers to write arbitrary file as system authority." On April 30, 2025, security researchers at SSD-Disclosure published a detailed write-up along with a proof-of-concept (PoC) exploit that achieves RCE on the server without any authentication using a JSP web shell. The attacker uploads a malicious .jsp file via an unauthenticated POST request, exploiting path traversal to place it in a web-accessible location. By visiting the uploaded file with a cmd parameter, they can execute arbitrary OS commands and see the output in the browser. Arctic Wolf now reports that the CVE-2024-7399 flaw is actively exploited in attacks a few days after the PoC's release, indicating that threat actors adopted the disclosed attack method in real operations. "Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability," warned Arctic Wolf. Another active exploitation confirmation comes from threat analyst Johannes Ullrich, who reported seeing a Mirai botnet malware variant leveraging CVE-2024-7399 to take over devices. Given the active exploitation status of the flaw, it is recommended that system administrators take immediate action to patch CVE-2024-7399 by upgrading the Samsung MagicINFO Server to version 21.1050 or later. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Daily Brief Summary
Hackers are exploiting an RCE vulnerability (CVE-2024-7399) in Samsung MagicINFO 9 Server, allowing device hijacking and malware deployment.
Samsung MagicINFO Server is a central management system used widely in sectors like retail and healthcare to manage multimedia content on digital signs.
The vulnerability, disclosed and patched in August 2024, stems from improper file upload restrictions enabling attackers to upload malicious code.
Security researchers recently published a proof-of-concept demonstrating how attackers achieve remote code execution by uploading a .jsp file and executing OS commands via the web.
Arctic Wolf has reported active exploitation following the release of the proof-of-concept, predicting continued targeting due to the vulnerability's ease of exploitation.
A variant of the Mirai botnet malware has been observed leveraging this vulnerability to take over affected devices.
Urgent patching to version 21.1050 or later is recommended for system administrators to mitigate the risk associated with this vulnerability.