Samsung MagicINFO Flaw Exploited Days After PoC Exploit Publication
Threat actors have begun exploiting a high-severity vulnerability in Samsung MagicINFO, just days after a proof-of-concept (PoC) exploit was publicly released. According to Arctic Wolf researchers, the vulnerability, tracked as CVE-2024-7399 (CVSS score: 8.8), is an improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050.
Arctic Wolf observed threat actors starting to exploit this vulnerability just days after the PoC exploit code was made publicly available. This vulnerability allows unauthenticated attackers to upload JavaServer Pages (JSP) files and execute code with system-level access, making it a serious concern for organizations that use Samsung MagicINFO.
"As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays," reads a report published by Arctic Wolf. "The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JSP files."
Samsung first disclosed the flaw in August 2024, but there were no signs of it being exploited at that time. However, just days after a PoC was published on April 30, 2025, threat actors began taking advantage of this vulnerability.
How Does the Vulnerability Work?
The CVE-2024-7399 vulnerability is related to input validation in Samsung MagicINFO 9 Server. This allows unauthenticated attackers to upload JSP files and execute code with system-level access. The attack vector is simple: an attacker can exploit this flaw by writing specially crafted JavaServer Pages (JSP) files, which will be executed with system-level privileges.
What Does Samsung Say?
Samsung addressed the vulnerability with the release of MagicINFO 9 Server version 21.1050 in August 2024. This patch fixes the improper limitation of a pathname to a restricted directory vulnerability.
What Should You Do?
Given the low barrier to exploitation and the public availability of the PoC, experts believe that the attacks are likely to continue. If you use Samsung MagicINFO 9 Server, it's essential to update to version 21.1050 or later as soon as possible.
Arctic Wolf will continue to monitor for malicious post-compromise activities related to this vulnerability and will alert Managed Detection and Response customers as required when malicious activities are observed.
Stay Safe Online
If you have any concerns about your organization's cybersecurity, follow me on Twitter: @securityaffairs and Facebook, and Mastodon for the latest security news and updates.