Introduction
Administrators of Samsung MagicInfo 9 Server are advised to implement stringent security measures due to a critical Remote Code Execution (RCE) vulnerability, CVE-2024-7399 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], which has been actively exploited. This vulnerability affects specific versions of the software and poses significant risks to system integrity and data security.
Description
Administrators of Samsung MagicInfo 9 Server are strongly advised to air gap their systems from the internet due to ongoing exploit attempts affecting versions 21.1050.0 and 21.1040.2 [4]. A critical Remote Code Execution (RCE) vulnerability [6] [8], tracked as CVE-2024-7399 [5] [6] [8] [9], has been actively exploited since the public release of proof-of-concept (PoC) exploit code on April 30, 2025. This high-severity vulnerability [5], characterized by improper limitations on file path restrictions, allows unauthenticated attackers to upload malicious JavaServer Pages (JSP) files through a content update feature intended for display content management. Once uploaded, attackers can execute arbitrary operating system commands with system-level access on the server, compromising security within the Apache Tomcat environment [2]. This exploit can lead to complete system compromises [6], including malware installation [6], theft of sensitive data [6], and disruption of digital signage services [6], particularly in environments with numerous distributed displays [6].
Despite the release of official patches in August 2024, which included an update to version 21.1050, these versions remain vulnerable to exploitation. When reported to Samsung [4], the vendor classified these vulnerabilities as a duplicate issue [4], delaying a comprehensive response and leaving no official patches available for either version. Consequently [4], variants of the Mirai botnet are reportedly targeting these unpatched vulnerabilities, expanding the scope of attacks.
Findings indicate that version 21.1050.0 is still vulnerable, even with the latest updates. Administrators are urged to ensure their installations are not exposed to the internet until a comprehensive update is released [4]. If air gapping is not feasible [3], implementing network segmentation [3], monitoring for suspicious network activity [3], and utilizing a Web Application Firewall (WAF) are recommended [3]. It is crucial to review access logs for any suspicious POST requests and to adopt multi-layered defense strategies to mitigate risks associated with these vulnerabilities. Additionally, implementing strict access controls and restricting server access to trusted IP addresses can further enhance security. Continuous monitoring of security advisories and threat intelligence feeds is essential for timely updates regarding patches and vulnerabilities [3]. Arctic Wolf researchers continue to monitor for malicious activities related to this vulnerability and will alert customers as necessary [5].
Conclusion
The ongoing exploitation of the CVE-2024-7399 vulnerability in Samsung MagicInfo 9 Server underscores the critical need for robust security practices. Administrators must prioritize air gapping or alternative protective measures to safeguard their systems. Continuous vigilance, including monitoring security advisories and threat intelligence [3], is essential to mitigate risks and ensure timely responses to emerging threats.
References
[1] https://www.heise.de/en/news/Cyberattacks-Mirai-botnet-attacks-Samsung-MagicINFO-9-server-10374813.html
[2] https://www.hendryadrian.com/improperly-patched-samsung-magicinfo-vulnerability-exploited-by-botnet/
[3] https://www.archyde.com/samsung-magicinfo-flaw-exploited-security-threat/
[4] https://www.infosecurity-magazine.com/news/threat-actors-exploit-samsung/
[5] https://ciso2ciso.com/samsung-magicinfo-flaw-exploited-days-after-poc-exploit-publication-source-securityaffairs-com/
[6] https://www.securityinfo.it/2025/05/07/i-criminali-sfruttano-la-vulnerabilita-in-samsung-magicinfo-9-server/
[7] https://www.hendryadrian.com/samsung-magicinfo-9-server-rce-flaw-now-exploited-in-attacks/
[8] https://www.mytechnews.co/samsung-magicinfo-9-server-rce-flaw-now-exploited-in-assaults/
[9] https://www.techradar.com/pro/security/top-samsung-software-hit-by-attackers-to-spread-malware-and-hijack-devices
[10] https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw
