[CDP-development] TLP: Green (Vulnerability Alert Notification) CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Fri Apr 24 13:30:28 PDT 2026 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability affecting Samsung MagicINFO 9 Server for digital signage content management. Because confirmed active exploitation by botnets (Mirai/LZRD) following the release of a public PoC. This flaw allows unauthenticated attackers to gain NT AUTHORITY\SYSTEM access, we are providing this in-depth information.

History: Originally disclosed and patched by Samsung in August 2024; technical write-up and PoC published by SSD Secure Disclosure on April 30, 2025. The CVSS v3.x base score is 7.5 (HIGH).

Affected Versions

  *   Samsung MagicINFO 9 Server versions prior to 21.1050

Fixed Versions

  *   Samsung MagicINFO 9 Server 21.1050 (initial patch)
  *   Samsung MagicINFO 9 Server 21.1052 (recommended to address subsequent bypasses)

Improper limitation of a pathname to a restricted directory in Samsung MagicINFO 9 Server allows attackers to write arbitrary files as system authority.

Vendor Advisory: Samsung Product Security Update - August 2024<https://security.samsungtv.com/securityUpdates>

Additional Info: SSD Secure Disclosure<https://ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/>

Intelligence: On April 24, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Network
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: Publicly Available (SSD Secure Disclosure / Metasploit)
Zero Day: No (Patched before public exploitation began)

Workarounds: Restrict access to TCP ports 7001 (HTTP) and 7002 (HTTPS) to known administrative IPs; Disable the SWUpdateFileUploader servlet if firmware updates are not currently scheduled; Isolate MagicINFO servers from the public internet using a VPN or Zero Trust Architecture.
How it Works: The vulnerability (CWE-22) exists in the `getFileFromMultipartFile` method within the `SWUpdateFileUploader` servlet. An attacker sends a specially crafted `POST` request containing a filename with path traversal sequences (e.g., `../../`). Because the application fails to sanitize this input or check for authentication, it writes the file to an arbitrary directory. By uploading a malicious `.jsp` shell to a web-accessible directory, the attacker achieves Remote Code Execution (RCE) with SYSTEM privileges.
Post-Exploit Impact:

  *   Full system compromise with SYSTEM-level privileges (CWE:CWE-434)
  *   Lateral movement within the corporate network from the management server (CWE:CWE-22)

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
HTTP POST
/MagicInfo/SWUpdateFileUploader
Inbound POST requests to this endpoint from unauthorized IPs
Arctic Wolf
File Path
..\..\..\
Presence of directory traversal sequences in servlet logs
Rapid7
Detection Name
Behavior:Win32/CVE-2024-7399.A
Microsoft Defender detection for exploitation attempts
Microsoft Security Intelligence
Tenable Plugins: As of the release of this Vulnerability Notification, Tenable has not published any plugins for this CVE.
Recommended Actions:

Date Added to KEV Catalog: April 24, 2026
Due Date for Remediation: May 8, 2026

  *   Immediately upgrade MagicINFO 9 Server to version 21.1052 or later
  *   Scan for unauthorized .jsp files in the MagicINFO installation directories
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.
EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image002.png at 01DCD3EE.8310DD70] [cid:image003.png at 01DCD3EE.8310DD70]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260424/c72f96c4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 280765 bytes
Desc: image002.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260424/c72f96c4/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 32625 bytes
Desc: image003.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260424/c72f96c4/attachment-0003.png>

More information about the CDP-development mailing list