A critical security vulnerability in the Samsung MagicINFO 9 Server has come under active exploit, security researchers from Arctic Wolf have warned.
The flaw, tracked as CVE-2024-7399, allows unauthenticated attackers to remotely execute code and compromise digital signage infrastructure in organizations around the world.
Details of the Vulnerability
The Samsung MagicINFO 9 Server is a popular content management system widely deployed to manage and control digital signage displays across retail, transportation, and corporate environments.
.png
)
The vulnerability, CVE-2024-7399, stems from inadequate input validation in the server’s file upload functionality. Specifically, the flaw arises due to poor sanitization of filename input and a lack of checks for file extension or user authentication.
This oversight allows any remotely located, unauthenticated attacker to upload malicious JavaServer Pages (JSP) files to the server. If exploited, the attacker can execute arbitrary code on the server with full system privileges.
The vulnerability was initially disclosed in August 2024 by Samsung, with no exploits reported at the time.
However, on April 30, 2025, researchers released detailed technical write-ups and a proof-of-concept (PoC) exploit. Almost immediately, Arctic Wolf’s threat intelligence teams observed real-world exploitation attempts.
| Product | Affected Versions | Fixed Version | Associated CVE |
| Samsung MagicINFO 9 Server | Prior to 21.1050 | 21.1050 and later | CVE-2024-7399 |
Due to the severity of the flaw and the public availability of a functional PoC, organizations using Samsung MagicINFO 9 Server face significant risk.
Cybercriminals can leverage this vulnerability for data theft, ransomware deployment, or disruption of critical signage infrastructure.
- Immediate Upgrade:Â Organizations should urgently upgrade to at least version 21.1050 (or later), which contains the patch for CVE-2024-7399.
- Follow Patching Best Practices:Â Carefully follow internal patch management and testing procedures to minimize operational disruption.
- Monitor for Malicious Activity:Â Security teams should remain vigilant for suspicious activity on MagicINFO servers and apply additional monitoring where feasible.
- Review Server Exposure:Â Limit direct internet exposure of MagicINFO servers, and enforce strict access controls.
As exploitation of CVE-2024-7399 intensifies, Arctic Wolf is proactively monitoring for associated malicious activity and will alert customers as warranted.
Organizations running vulnerable versions of Samsung MagicINFO 9 Server are urged not to delay remediation steps.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
