CVE-2024-7399: Critical Samsung MagicINFO Server RCE Flaw Exploited

By /
samsung magicinfo

A security flaw in Samsung’s MagicINFO 9 Server is now being actively used by hackers to hijack systems and install malware. The vulnerability, identified as CVE-2024-7399, allows attackers to execute code on a targeted server without needing any login credentials.

What is Samsung MagicINFO Server?

Samsung MagicINFO Server is a content management system (CMS) developed by Samsung to manage and control digital signage. These are the electronic displays commonly seen in retail stores, airports, hospitals, restaurants, and corporate buildings. MagicINFO helps users schedule, distribute, display, and monitor multimedia content across multiple screens remotely.

With the rise of smart displays in commercial spaces, MagicINFO has become a widely adopted solution for businesses that rely on digital communication. However, its popularity also makes it an attractive target for hackers.

CVE-2024-7399

The security vulnerability lies in the file upload feature of the MagicINFO server. This feature is normally used to update content on digital displays. Unfortunately, hackers have discovered a way to exploit it to upload malicious files instead.

Samsung officially disclosed the flaw in August 2024 and fixed it in version 21.1050 of the software. The issue was described as an “improper limitation of a pathname to a restricted directory,” which means that attackers can trick the system into writing files where it shouldn’t—essentially gaining unauthorized system-level access.

How the Exploit Works

On April 30, 2025, cybersecurity experts at SSD-Disclosure published a technical breakdown of how this vulnerability can be exploited. They also released a proof-of-concept (PoC), making it easier for attackers to reproduce the attack.

Here’s how the exploit works:

  • The attacker sends an unauthenticated POST request to the MagicINFO server, uploading a malicious .jsp (Java Server Pages) file.

  • Due to a path traversal flaw, the attacker places this file in a publicly accessible web directory.

  • By visiting this file through a browser and adding a command parameter (cmd), the attacker can run any command on the system and see the result directly in their browser.

This means the attacker can take full control of the server, install malware, steal data, or use the compromised server to attack other systems.

Active Attacks Confirmed

Just days after the PoC was made public, cybersecurity firm Arctic Wolf reported seeing active attacks in the wild using this exact method. According to their report, hackers have already started exploiting the vulnerability to compromise real systems.

“Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability,” said Arctic Wolf in a warning to system administrators.

Additional confirmation of real-world attacks came from Johannes Ullrich, a well-known threat analyst. He observed that a Mirai botnet variant was using this vulnerability to spread malware and take over connected devices. Mirai is a type of malware that turns networked devices into remotely controlled “bots” used in large-scale attacks like Distributed Denial of Service (DDoS).

digital cybersecurity

Immediate Patch Recommended

With active exploitation already underway, it’s critical for organizations using Samsung MagicINFO 9 Server to patch this vulnerability without delay. If left unpatched, systems are at risk of being fully compromised by attackers.

What you should do:

  • Upgrade to MagicINFO Server version 21.1050 or later. This version contains the official patch for CVE-2024-7399.

  • Audit your systems to check if any unauthorized .jsp files have been uploaded.

  • Monitor network activity for signs of exploitation or malware behavior.

  • Restrict access to your server’s upload functionalities wherever possible.

Why This Matters for Your Organization

Even though MagicINFO is not typically thought of as a high-risk application, it runs on servers connected to internal networks. If attackers gain control of these servers, they may use them as entry points to move laterally within the network, putting sensitive systems and data at risk.

This case also highlights a growing trend in cybersecurity: attackers are shifting their focus from traditional targets to less obvious, but still critical, systems like signage servers, IoT devices, and third-party platforms.

Conclusion

The exploitation of the Samsung MagicINFO 9 Server vulnerability (CVE-2024-7399) is a strong reminder that every exposed system can be a potential entry point for attackers, especially when proof-of-concept exploits are publicly available. The best defense is a proactive one—patch early, monitor often, and educate your team on the risks of ignoring software updates.

For IT administrators and cybersecurity professionals, this is a clear call to review the status of your MagicINFO deployments and take swift action to close this security gap.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Interesting Article : Microsoft Adopts Passwordless Sign-In for All New Accounts in 2025

1 thought on “CVE-2024-7399: Critical Samsung MagicINFO Server RCE Flaw Exploited”

  1. Pingback: SentinelOne EDR Bypassed By Hackers Using EDR Upgrade Flaw

Comments are closed.

Scroll to Top