A critical security vulnerability in Samsung’s digital signage management platform has moved from theoretical risk to active threat as attackers begin exploiting it in real-world attacks. 

CVE-2024-7399, a high-severity vulnerability affecting Samsung MagicINFO 9 Server, is now being actively exploited by threat actors.

The vulnerability, which carries a CVSS score of 9.8 (indicating maximum severity), enables unauthenticated attackers to upload malicious files to vulnerable servers and potentially gain complete system control. 

Security experts warn that organizations using the affected software should implement patches immediately.

“Given the low barrier to exploitation and the availability of a public proof-of-concept, threat actors are likely to continue targeting this vulnerability,” noted Arctic Wolf in their security advisory. 

The exploitation activity began just days after technical details and a proof-of-concept exploit were published on April 30, 2025.

Critical Unauthenticated File Upload Vulnerability 

CVE-2024-7399 stems from a critical flaw in the input verification logic of Samsung MagicINFO 9 Server, a content management system widely used to manage and remotely control digital signage displays across various industries. 

The vulnerability specifically affects versions prior to 21.1050.

The security issue involves multiple weaknesses in the system’s design:

The /MagicInfo/servlet/SWUpdateFileUploader endpoint doesn’t verify if the user making the request is authenticated.

The system improperly sanitizes filename inputs and concatenates them to file paths without proper validation.

No verification of file extensions occurs during the upload process.

Technical analysis reveals the vulnerable code creates paths using:

This implementation allows attackers to write specially crafted JavaServer Pages (JSP) files to the server, which can then be executed to run arbitrary code with system-level privileges.

Samsung initially disclosed the vulnerability in August 2024, following responsible disclosure by security researchers. At that time, no exploitation was reported. 

However, the situation changed dramatically when a research article with technical details and a proof-of-concept exploit was published on April 30, 2025 and within days, Arctic Wolf began observing active exploitation attempts in the wild.

Risk FactorsDetailsAffected ProductsSamsung MagicINFO 9 Server (versions prior to 21.1050)ImpactRemote code execution with SYSTEM privilegesExploit PrerequisitesNo authentication requiredCVSS 3.1 Score9.8 (Critical)

Mitigations

Arctic Wolf strongly recommends that organizations using Samsung MagicINFO 9 Server upgrade to the latest fixed version 21.1050 and later immediately.

Organizations should follow their established patching and testing guidelines to minimize potential operational disruptions while addressing this critical security issue.

Samsung addressed the vulnerability in version 21.1050, released in late 2024, by modifying the verification logic of user inputs to prevent path traversal attacks.

As threat actors continue to target internet-facing services, organizations should prioritize patching this vulnerability, especially since the exploit code is now publicly available and the barrier to exploitation is considered low.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download