Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)

An easily and remotely exploitable vulnerability (CVE-2024-7399) affecting Samsung MagicINFO, a platform for managing content on Samsung commercial displays, is being leveraged by attackers.

Exploit attempts have been flagged by the SANS Internet Storm Center and Arctic Wolf researchers: the attackers are using the vulnerability to upload and execute a script that contains a downloader for a Mirai bot.

About CVE-2024-7399

Samsung MagicINFO is a digital signage management platform that is used to create, schedule, and manage multimedia content on Samsung commercial displays, which are often used in transportation hubs, retail stores, restaurants, corporate lobbies, healthcare organizations, financial institutions, etc.

It’s also used to manage the actual displays: perform firmware updates, remote diagnostics, and so on.

The Samsung MagicINFO solution integrates several elements: a web-based content creation tool, a server component, and a player client installed on the displays.

CVE-2024-7399 is a path traversal vulnerability that affects the server component, more specifically Samsung MagicINFO v9 Server, version 21.1050 and earlier.

“CVE-2024-7399 arises from a flaw in the input verification logic of Samsung MagicINFO 9 Server, which improperly sanitizes a filename input. This process is performed without validating the file extension or checking if the user performing the request is authenticated. As a result, unauthenticated threat actors can upload JSP files and execute arbitrary code with system authority on vulnerable servers,” Arctic Wolf researchers explained.

A patch for the vulnerability has been pushed out by Samsung in August 2024, but attackers only started leveraging it now because a proof-of-concept (PoC) exploit has been made public last week.

What are the attackers after?

Samsung MagicINFO Server is typically installed on Windows Server operating systems, which are not the typical targets for Mirai botnet operators.

Mirai botnets usually consist of Linux-based internet-connected “smart” devices and, thus, commercial displays are a more natural target. But, they aren’t commonly exposed to the internet.

The final goal of these attacks is currently unknown but, according to Arctic Wolf researchers, given the low barrier to exploitation – no user action required, exploitable remotely – and the availability of a public PoC, threat actors are likely to continue targeting the flaw.

Users are advised to upgrade to Samsung MagicINFO Server V9 21.1050.0 and implement the patch for CVE-2024-7399.

UPDATE (May 6, 2025, 12:30 p.m. ET):

“As of now, there’s no confirmed public evidence that the threat actors are actively targeting the displays themselves (e.g., to change content or cause disruption). The current infections outlined in the SANS article suggest that the vulnerable Samsung MagicINFO 9 servers are being infected and used as part of a Mirai botnet, which typically means the threat actors are using them for broader purposes such as Distributed-Denial-of-Service (DDoS) attacks,” the Artic Wolf team told Help Net Security.

“However, the fact that MagicINFO servers manage digital signage in corporate and public environments does present potential risks, particularly if the compromised servers are not properly segmented from internal networks. If these systems are not isolated, an attacker could feasibly pivot from the compromised server deeper into the organization, depending on the environment and privileges involved.”

They also added that, at the moment, Shodan data shows nearly 5,000 publicly accessible MagicINFO Server, located across several countries.

UPDATE (May 8, 2025, 05:50 a.m. ET):

Huntress Labs researchers say that v21.1050.0 of Samsung MagicINFO 9 Server is still vulnerable to the publicly reported PoC.

“Despite reports suggesting an issue (CVE-2024-7399) was resolved in the latest version, we’ve uncovered that systems running this version are actively being targeted. This leads us to conclude that the patch was either incomplete or for a separate, but similar, flaw,” the company said, and advised users to make sure their MagicINFO 9 Server is not accessible from the internet until a proper update has been released and patch applied.

Help Net Security has reached out to Samsung for more information, we will update this article if we hear back from them.

UPDATE (May 15, 2025, 07:20 a.m. ET):

A new path traversal vulnerability (CVE-2025-4632) – possibly a bypass of CVE-2024-7399 – has been patched by Samsung in MagicINFO 9 Server, and it seems that it’s this one that’s being exploited in recent attacks.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!