Hackers Actively Exploit RCE Vulnerability in Samsung MagicINFO 9 Server
A remote code execution (RCE) vulnerability in Samsung’s MagicINFO 9 Server is being actively exploited by hackers to hijack devices and deploy malware. This server is used to manage and control Samsung’s digital signage displays, which are found in various public and commercial spaces, including retail stores, airports, and hospitals.
The vulnerability, tracked as CVE-2024-7399, was first disclosed in August 2024 and was fixed in version 21.1050 of MagicINFO 9. However, security researchers revealed a proof-of-concept (PoC) exploit on April 30, 2025, that allows unauthenticated attackers to execute arbitrary commands on the affected server.
The flaw arises from improper path restrictions in the file upload feature, which hackers are exploiting to upload malicious code (such as a JSP web shell). Once uploaded, attackers can execute commands on the server by visiting the malicious file and triggering OS commands via a cmd parameter.
The active exploitation of this vulnerability was confirmed shortly after the PoC’s release, with cybersecurity firm Arctic Wolf warning that threat actors are likely to continue targeting this flaw. Threat analyst Johannes Ullrich also reported that a variant of the Mirai botnet malware is using this vulnerability to take over devices.
System administrators are urged to immediately update their systems to MagicINFO Server version 21.1050 or later to mitigate the risks associated with this critical vulnerability. Despite the patch being available, confusion remains as to whether the flaw identified by SSD-Disclosure is indeed CVE-2024-7399 or an unpatched zero-day vulnerability, as reports suggest that the latest firmware is not available for download from Samsung’s official site.
