Hackers are exploiting an unauthenticated distant code execution (RCE) vulnerability within the Samsung MagicINFO 9 Server to hijack gadgets and deploy malware.
Samsung MagicINFO Server is a centralized content material administration system (CMS) used to remotely handle and management digital signage shows made by Samsung. It’s utilized by retail shops, airports, hospitals, company buildings, and eating places, the place there is a must schedule, distribute, show, and monitor multimedia content material.
The server part incorporates a file add performance meant for updating show content material, however hackers are abusing it to add malicious code.
The flaw, tracked below CVE-2024-7399, was first publicly disclosed in August 2024 when it was fastened as a part of the discharge of model 21.1050.
The seller described the vulnerability as an “Improper limitation of a pathname to a restricted listing vulnerability in Samsung MagicINFO 9 Server [that] permits attackers to write down arbitrary file as system authority.”
On April 30, 2025, safety researchers at SSD-Disclosure printed a detailed write-up together with a proof-of-concept (PoC) exploit that achieves RCE on the server with none authentication utilizing a JSP internet shell.
The attacker uploads a malicious .jsp file by way of an unauthenticated POST request, exploiting path traversal to position it in a web-accessible location.
By visiting the uploaded file with a cmd parameter, they’ll execute arbitrary OS instructions and see the output within the browser.
Arctic Wolf now experiences that the CVE-2024-7399 flaw is actively exploited in assaults just a few days after the PoC’s launch, indicating that menace actors adopted the disclosed assault technique in actual operations.
“Given the low barrier to exploitation and the provision of a public PoC, menace actors are prone to proceed concentrating on this vulnerability,” warned Arctic Wolf.
One other energetic exploitation affirmation comes from menace analyst Johannes Ullrich, who reported seeing a Mirai botnet malware variant leveraging CVE-2024-7399 to take over gadgets.
Given the energetic exploitation standing of the flaw, it’s endorsed that system directors take fast motion to patch CVE-2024-7399 by upgrading the Samsung MagicINFO Server to model 21.1050 or later.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and find out how to defend in opposition to them.
