Hackers are exploiting an unauthenticated distant code execution (RCE) vulnerability within the Samsung MagicINFO 9 Server to hijack units and deploy malware.
Samsung MagicINFO Server is a centralized content material administration system (CMS) used to remotely handle and management digital signage shows made by Samsung. It’s utilized by retail shops, airports, hospitals, company buildings, and eating places, the place there is a must schedule, distribute, show, and monitor multimedia content material.
The server part contains a file add performance meant for updating show content material, however hackers are abusing it to add malicious code.
The flaw, tracked below CVE-2024-7399, was first publicly disclosed in August 2024 when it was mounted as a part of the discharge of model 21.1050.
The seller described the vulnerability as an “Improper limitation of a pathname to a restricted listing vulnerability in Samsung MagicINFO 9 Server [that] permits attackers to jot down arbitrary file as system authority.”
On April 30, 2025, security researchers at SSD-Disclosure revealed an in depth write-up together with a proof-of-concept (PoC) exploit that achieves RCE on the server with none authentication utilizing a JSP net shell.
The attacker uploads a malicious .jsp file by way of an unauthenticated POST request, exploiting path traversal to put it in a web-accessible location.
By visiting the uploaded file with a cmd parameter, they’ll execute arbitrary OS instructions and see the output within the browser.
Arctic Wolf now studies that the CVE-2024-7399 flaw is actively exploited in assaults just a few days after the PoC’s launch, indicating that risk actors adopted the disclosed assault methodology in actual operations.
“Given the low barrier to exploitation and the provision of a public PoC, risk actors are prone to proceed concentrating on this vulnerability,” warned Arctic Wolf.
One other lively exploitation affirmation comes from risk analyst Johannes Ullrich, who reported seeing a Mirai botnet malware variant leveraging CVE-2024-7399 to take over units.
Given the lively exploitation standing of the flaw, it is suggested that system directors take instant motion to patch CVE-2024-7399 by upgrading the Samsung MagicINFO Server to model 21.1050 or later.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and how you can defend in opposition to them.
