Samsung MagicINFO 9 server flaw actively exploited
Take action: If you are running Samsung MagicINFO 9 Server, first make sure it's isolated from the internet and accessible only from trusted networks. Then plan a quick patch, because you don't want your signage to show hacked content or be used to hack your entire network.
Learn More
Arctic Wolf security researchers are reporting active exploitation of a vulnerability in Samsung MagicINFO 9 Server, a content management system widely used for managing digital signage displays.
The vulnerability is tracked as CVE-2024-7399 (CVSS score 7.5) - a path traversal vulnerability in Samsung MagicINFO 9 Server. The vulnerability stems from multiple weaknesses in the system's design - the /MagicInfo/servlet/SWUpdateFileUploader endpoint doesn't verify user authentication and has improper sanitization of filename inputs. This enables concatenation of user inputs to file paths without adequate validation
The flaw allows attackers to write specially crafted JavaServer Pages (JSP) files to the server, which can then be executed to run arbitrary code with system privileges. It affects versions prior to 21.1050.
Samsung addressed the vulnerability in version 21.1050 (released in late 2024). Arctic Wolf observed active exploitation attempts "within days" of the PoC publication
Organizations using Samsung MagicINFO 9 Server should upgrade immediately to version 21.1050 or later.
