CVE-2024-7399: Samsung MagicINFO Vulnerability Now Actively Exploited in the Wild

A critical security vulnerability, CVE-2024-7399, is being actively exploited in the wild in Samsung MagicINFO 9 Server, a content management system (CMS) widely used for managing digital signage displays. Arctic Wolf reported the active exploitation as of early May 2025.

The vulnerability allows unauthenticated users to write arbitrary files to the server. This can escalate to remote code execution when attackers use the flaw to write specially crafted JavaServer Pages (JSP) files. The issue stems from several weaknesses in MagicINFO’s design:

• It does not verify if the user making the request is authenticated.
• It accepts a filename and directly concatenates it to the file’s save path.
• It fails to validate the file extension provided in the request.

By combining these flaws, attackers can upload JSP files and execute arbitrary server-side code without needing valid user credentials.

The root cause of CVE-2024-7399 is a flaw in the input verification logic of Samsung MagicINFO 9 Server, where the filename input is improperly sanitized. This lack of proper sanitization occurs without validating the file extension or verifying user authentication. Consequently, unauthenticated attackers can upload JSP files and execute arbitrary code with system-level privileges on vulnerable servers.

Samsung initially disclosed the high-severity vulnerability in August 2024, following responsible disclosure by security researchers. At that time, there were no reports of exploitation. However, the situation changed rapidly after a new research article was published on April 30, 2025, which included technical details and a proof-of-concept (PoC) exploit. Within days of this publication, exploitation in the wild was observed.

Arctic Wolf warns that threat actors are likely to continue exploiting this vulnerability due to the low barrier to entry and the public availability of a PoC exploit. The security firm is actively monitoring for malicious post-compromise activity related to CVE-2024-7399 and will notify their Managed Detection and Response customers of any malicious activity.

The affected and fixed versions are as follows: