Given the active exploitation status of the flaw, it is recommended that system administrators take immediate action to patch CVE-2024-7399 by upgrading the Samsung MagicINFO Server to version 21.1050 or later. Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. The server component features a file upload functionality intended for updating display content, but hackers are abusing it to upload malicious code. Samsung MagicINFO Server is a centralized content management system (CMS) used to remotely manage and control digital signage displays made by Samsung. Arctic Wolf now reports that the CVE-2024-7399 flaw is actively exploited in attacks a few days after the PoC's release, indicating that threat actors adopted the disclosed attack method in real operations. Another active exploitation confirmation comes from threat analyst Johannes Ullrich, who reported seeing a Mirai botnet malware variant leveraging CVE-2024-7399 to take over devices. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. "Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability," warned Arctic Wolf. On April 30, 2025, security researchers at SSD-Disclosure published a detailed write-up along with a proof-of-concept (PoC) exploit that achieves RCE on the server without any authentication using a JSP web shell. The attacker uploads a malicious .jsp file via an unauthenticated POST request, exploiting path traversal to place it in a web-accessible location.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 06 May 2025 17:15:07 +0000