Samsung patches MagicINFO 9 Server vulnerability exploited by attackers

Companies running Samsung MagicINFO, a platform for managing content on Samsung commercial digital displays, should upgrade to the latest available version of its v9 branch to fix a vulnerability that’s reportedly being exploited by attackers.

If this advice sounds familiar, it’s because it is a repeat of a call that happened ten days ago, when researchers spotted attackers attempting to compromise machines running the platform’s server component by exploiting a path traversal vulnerability.

At the time, the researchers believed that the vulnerability in question was CVE-2024-7399 (ostensibly fixed in August 2024), since a proof-of-concept exploit for such a vulnerability was published on April 30, 2025.

Untangling confusion and inconsistent information

With Samsung not responding to the researcher who flagged the vulnerability and published the PoC nor to media inquiries, confusion arose about which vulnerability was being exploited and which version of the server component was vulnerable.

The researcher claimed that MagicINFO 9 Server 21.1050 – the latest available version at the time – was affected, and Huntress researchers susequently confirmed it as some of the breached systems were indeed running it.

Then, on May 7, 2025, Samsung pushed out MagicINFO 9 Server (Hotfix) 21.1052.

The company’s page for security updates says that they have patched CVE-2025-4632, an improper limitation of a pathname to a restricted directory vulnerability that allows attackers to write arbitrary file as system authority. (CVE-2024-7399 was previously described by Samsung in the exact same way.)

The release notes for MagicINFO 9 Server Hotfix 21.1052 don’t mention CVE-2025-4632, though – just CVE-2024-7399.

With Samsung still not responding to inquiries, we’re left to guess whether CVE-2024-7399 had been really fixed last year in MagicINFO 9 Server 21.1050 or has been now fixed in MagicINFO 9 Server (Hotfix) 21.1052.

It’s also possible that CVE-2025-4632 is a bypass of the patch for the previously fixed CVE-2024-7399 and Samsung has now patched the bypass, but it’s really bad at providing consistent information.

The good news is that MagicINFO V9 (Hotfix) 21.1052 does mitigate the issue, as recently confirmed by Huntress researchers.

The bad news is that there is no hotfix for MagicINFO v8, so users should switch to v9 and do it in a particular way: first upgrade to v9 21.1050, and then update to v9 (Hotfix) 21.1052.

All customers should investigate whether their instances have been compromised. SANS ISC’s and Huntress’ most recent post provide more information about the exploitation and post-exploitation activities performed by attackers.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!