Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware.
Samsung MagicINFO Server is a centralized content management system (CMS) used to remotely manage and control digital signage displays made by Samsung. It is used by retail stores, airports, hospitals, corporate buildings, and restaurants, where there’s a need to schedule, distribute, display, and monitor multimedia content.
The server component features a file upload functionality intended for updating display content, but hackers are abusing it to upload malicious code.
The flaw, tracked under CVE-2024-7399, was first publicly disclosed in August 2024 when it was fixed as part of the release of version 21.1050.
The vendor described the vulnerability as an “Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server [that] allows attackers to write arbitrary file as system authority.”
On April 30, 2025, security researchers at SSD-Disclosure published a detailed write-up along with a proof-of-concept (PoC) exploit that achieves RCE on the server without any authentication using a JSP web shell.
The attacker uploads a malicious .jsp file via an unauthenticated POST request, exploiting path traversal to place it in a web-accessible location.
By visiting the uploaded file with a cmd parameter, they can execute arbitrary OS commands and see the output in the browser.
Arctic Wolf now reports that the CVE-2024-7399 flaw is actively exploited in attacks a few days after the PoC’s release, indicating that threat actors adopted the disclosed attack method in real operations.
“Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability,” warned Arctic Wolf.
Another active exploitation confirmation comes from threat analyst Johannes Ullrich, who reported seeing a Mirai botnet malware variant leveraging CVE-2024-7399 to take over devices.
Given the active exploitation status of the flaw, it is recommended that system administrators take immediate action to patch CVE-2024-7399 by upgrading the Samsung MagicINFO Server to version 21.1050 or later.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.