Hackers are exploiting an unauthenticated distant code execution (RCE) vulnerability within the Samsung MagicINFO 9 Server to hijack units and deploy malware.
Samsung MagicINFO Server is a centralized content material administration system (CMS) used to remotely handle and management digital signage shows made by Samsung. It’s utilized by retail shops, airports, hospitals, company buildings, and eating places, the place there is a have to schedule, distribute, show, and monitor multimedia content material.
The server element encompasses a file add performance meant for updating show content material, however hackers are abusing it to add malicious code.
The flaw, tracked underneath CVE-2024-7399, was first publicly disclosed in August 2024 when it was mounted as a part of the discharge of model 21.1050.
The seller described the vulnerability as an “Improper limitation of a pathname to a restricted listing vulnerability in Samsung MagicINFO 9 Server [that] permits attackers to put in writing arbitrary file as system authority.”
On April 30, 2025, safety researchers at SSD-Disclosure printed a detailed write-up together with a proof-of-concept (PoC) exploit that achieves RCE on the server with none authentication utilizing a JSP net shell.
The attacker uploads a malicious .jsp file by way of an unauthenticated POST request, exploiting path traversal to position it in a web-accessible location.
By visiting the uploaded file with a cmd parameter, they’ll execute arbitrary OS instructions and see the output within the browser.
Arctic Wolf now experiences that the CVE-2024-7399 flaw is actively exploited in assaults just a few days after the PoC’s launch, indicating that risk actors adopted the disclosed assault methodology in actual operations.
“Given the low barrier to exploitation and the provision of a public PoC, risk actors are more likely to proceed concentrating on this vulnerability,” warned Arctic Wolf.
One other lively exploitation affirmation comes from risk analyst Johannes Ullrich, who reported seeing a Mirai botnet malware variant leveraging CVE-2024-7399 to take over units.
Given the lively exploitation standing of the flaw, it’s endorsed that system directors take quick motion to patch CVE-2024-7399 by upgrading the Samsung MagicINFO Server to model 21.1050 or later.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and tips on how to defend towards them.
