Cyberpunks are exploiting an unauthenticated remote code execution (RCE) susceptability in the Samsung MagicINFO 9 Server to hijack tools and deploy malware.
Samsung MagicINFO Server is a centralized web content administration system (CMS) utilized to from another location manage and manage electronic signs screens made by Samsung. It is made use of by stores, airport terminals, hospitals, company buildings, and restaurants, where there’s a requirement to timetable, distribute, present, and screen multimedia material.
The server component includes a file upload performance intended for upgrading display screen web content, but cyberpunks are abusing it to submit destructive code.
The imperfection, tracked under CVE- 2024 – 7399 , was initially openly disclosed in August 2024 when it was repaired as component of the launch of variation 21 1050
The supplier described the susceptability as an “Incorrect constraint of a pathname to a restricted directory site vulnerability in Samsung MagicINFO 9 Web server [that] permits enemies to create arbitrary data as system authority.”
On April 30, 2025, safety scientists at SSD-Disclosure published a in-depth review together with a proof-of-concept (PoC) make use of that accomplishes RCE on the web server without any verification making use of a JSP internet covering.
The opponent posts a malicious.jsp documents via an unauthenticated message request, manipulating course traversal to put it in a web-accessible location.
By going to the uploaded data with a cmd criterion, they can implement approximate OS commands and see the output in the browser.
Arctic Wolf currently reports that the CVE- 2024 – 7399 problem is actively manipulated in strikes a few days after the PoC’s release, showing that threat actors embraced the revealed strike approach in actual operations.
“Provided the low barrier to exploitation and the schedule of a public PoC, threat stars are most likely to proceed targeting this susceptability,” advised Arctic Wolf
One more energetic exploitation confirmation originates from hazard analyst Johannes Ullrich , who reported seeing a Mirai botnet malware variant leveraging CVE- 2024 – 7399 to take over tools.
Offered the active exploitation standing of the imperfection, it is advised that system administrators take instant activity to patch CVE- 2024 – 7399 by upgrading the Samsung MagicINFO Server to variation 21 1050 or later on.
Based on an evaluation of 14 M harmful activities, discover the leading 10 MITRE ATT&CK strategies behind 93 % of attacks and exactly how to prevent them.