CVE-2024-7399

What is Samsung MagicINFO 9 Server?

Samsung MagicINFO is an enterprise digital signage content management system (CMS) that centrally manages Samsung commercial displays — from shopping mall screens to airport departure boards, hotel lobbies, hospital wayfinding systems, and corporate digital notice boards. Organizations use MagicINFO Server to schedule and push content, monitor display health, and manage large fleets of screens remotely.

MagicINFO 9 Server is typically deployed as a Windows application server (running Apache Tomcat) that is internet-accessible so administrators can manage displays from anywhere. This network-facing posture is exactly what makes it an attractive target: a single compromised MagicINFO server controls every display in the organization's network, and the server itself becomes a foothold into the broader corporate network.

Overview

CVE-2024-7399 is a path traversal (CWE-22) vulnerability in Samsung MagicINFO 9 Server's file upload servlet. An attacker with low-level access can write arbitrary files anywhere on the host filesystem as SYSTEM authority, enabling remote code execution by uploading a JSP web shell to a web-accessible directory.

A critical complication: Samsung's initial patch (v21.1050.0, August 2024) was incomplete. Huntress Labs confirmed the PoC still worked against v21.1050.0 and v21.1040.2. The real fix did not arrive until hotfix v21.1052 in May 2025 — nine months after the initial advisory. Exploitation began immediately after a public PoC was released on April 30, 2025.

Affected Versions

Technical Details

The vulnerability resides in SWUpdateFileUploadServlet, accessible at:

/MagicInfo/servlet/SWUpdateFileUploader

The servlet processes a user-controlled fileName parameter from the HTTP request and concatenates it directly to a base upload path without sanitizing path traversal sequences. A crafted request with fileName=../../../../path/to/webroot/shell.jsp writes the uploaded payload to the specified path rather than the intended upload directory.

Example attack (simplified):

POST /MagicInfo/servlet/SWUpdateFileUploader HTTP/1.1
Content-Disposition: form-data; name="fileName"

../../../webapps/MagicInfo/shell.jsp

The JSP web shell then executes in the context of the Apache Tomcat process — which on Windows installations typically runs as SYSTEM, giving the attacker full control of the server OS.

Why "unauthenticated RCE" in some sources: The SSD Disclosure write-up demonstrates the exploit without authentication, but the NVD CVSS vector assigns PR:L (Low Privileges Required). The discrepancy likely reflects how strict the pre-upload authentication check is in practice versus what the vendor intended.

Discovery

An independent security researcher working through SSD Secure Disclosure notified Samsung on January 12, 2025. After the standard 90-day coordinated disclosure window, SSD published a full technical write-up with PoC on April 30, 2025. Active exploitation began within days.

Exploitation Context

Mirai Botnet Deployment

Arctic Wolf observed exploitation attempts within days of the April 30, 2025 PoC publication. The primary post-exploitation payload was Mirai botnet variants — the same malware family responsible for some of the largest DDoS attacks in history. Threat actors used the web shell to execute a Mirai dropper that recruited the MagicINFO server into a DDoS botnet.

Additional post-exploitation activity included:

• Configuration changes for persistent access
• Lateral movement into the internal corporate network
• Cryptocurrency mining (documented by eSentire)
• Credential harvesting

Internet Exposure

At peak, approximately 6,683 Samsung MagicINFO servers were observable on Shodan, with 1,101 counted by Censys. This represents a substantial attack surface spread across retail, hospitality, healthcare, transportation, and corporate environments globally.

Public Exploit Tooling

• Metasploit module exploit/windows/http/magicinfo_traversal (PR #20188) — published May 22, 2025
• SSD Disclosure PoC — published April 30, 2025
• Nuclei template available for vulnerability scanning

The Metasploit integration means exploitation is within reach of low-skill attackers with access to standard penetration testing toolkits.

Related Vulnerability: CVE-2025-4632

A related critical vulnerability (CVE-2025-4632, CVSS 9.8) in MagicINFO shares root-cause characteristics with CVE-2024-7399. SRCIncite researchers subsequently identified 18 additional high-impact vulnerabilities in the MagicINFO codebase (published January 2026), including hard-coded database credentials, authentication bypass via directory traversal, and a TOCTOU race condition. The MagicINFO attack surface is deeper than a single CVE suggests.

Remediation

1. Apply hotfix v21.1052 immediately — this is the fully effective fix. If you are on a version below v21.1050, upgrade to v21.1050 first, then apply v21.1052. Do not assume v21.1050.0 alone protects you.
2. Check your current version — navigate to Help → About in the MagicINFO Server UI, or check the installation directory's version file.
3. Audit the web application directory for unexpected .jsp or .sh files — these may indicate a web shell dropped by a prior exploitation attempt.
4. Review server logs for POST requests to /MagicInfo/servlet/SWUpdateFileUploader with filename parameters containing ../ sequences.
5. Restrict internet exposure — MagicINFO Server should not be directly internet-accessible. Place it behind a VPN, firewall, or reverse proxy. Default ports are TCP 7001 (HTTP) and 7002 (HTTPS).
6. Assume compromise if unpatched since April 2025 — if your server was exposed to the internet and running a vulnerable version after April 30, 2025, treat it as potentially compromised and perform a full forensic review before trusting it.