Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)

An easily and remotely exploitable vulnerability (CVE-2024-7399) affecting Samsung MagicINFO, a platform for managing content on Samsung commercial displays, is being leveraged by attackers.

Exploit attempts have been flagged by the SANS Internet Storm Center and Arctic Wolf researchers: the attackers are using the vulnerability to upload and execute a script that contains a downloader for a Mirai bot.

About CVE-2024-7399

Samsung MagicINFO is a digital signage management platform that is used to create, schedule, and manage multimedia content on Samsung commercial displays, which are often used in transportation hubs, retail stores, restaurants, corporate lobbies, healthcare organizations, financial institutions, etc.

It’s also used to manage the actual displays: perform firmware updates, remote diagnostics, and so on.

The Samsung MagicINFO solution integrates several elements: a web-based content creation tool, a server component, and a player client installed on the displays.

CVE-2024-7399 is a path traversal vulnerability that affects the server component, more specifically Samsung MagicINFO v9 Server, version 21.1050 and earlier.

“CVE-2024-7399 arises from a flaw in the input verification logic of Samsung MagicINFO 9 Server, which improperly sanitizes a filename input. This process is performed without validating the file extension or checking if the user performing the request is authenticated. As a result, unauthenticated threat actors can upload JSP files and execute arbitrary code with system authority on vulnerable servers,” Arctic Wolf researchers explained.

A patch for the vulnerability has been pushed out by Samsung in August 2024, but attackers only started leveraging it now because a proof-of-concept (PoC) exploit has been made public last week.

What are the attackers after?

Samsung MagicINFO Server is typically installed on Windows Server operating systems, which are not the typical targets for Mirai botnet operators.

Mirai botnets usually consist of Linux-based internet-connected “smart” devices and, thus, commercial displays are a more natural target. But, they aren’t commonly exposed to the internet.

The final goal of these attacks is currently unknown but, according to Arctic Wolf researchers, given the low barrier to exploitation – no user action required, exploitable remotely – and the availability of a public PoC, threat actors are likely to continue targeting the flaw.

Users are advised to upgrade to Samsung MagicINFO Server V9 21.1050.0 and implement the patch for CVE-2024-7399.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!