Arbitrary File Write Vulnerability in Samsung MagicINFO 9 Server
CVE-2024-7399

8.8HIGH

Key Information:

Vendor: Samsung Electronics
Status: Magicinfo 9 Server
Vendor: CVE Published:; 12 August 2024

🔔 Create Samsung Electronics Vulnerability Alert

Badges

📈 Trended📈 Score: 2,030💰 Ransomware👾 Exploit Exists🟣 EPSS 82%🦅 CISA Reported📰 News Worthy

What is CVE-2024-7399?

CVE-2024-7399 is a critical vulnerability identified in Samsung MagicINFO 9 Server, which functions as a digital signage management platform designed for controlling and distributing multimedia content on Samsung's commercial displays. This software is widely used across various sectors, including transportation networks, retail environments, corporate offices, and healthcare facilities. The vulnerability arises from improper handling of input verification, specifically related to pathnames, enabling unauthorized users to write arbitrary files to the system with elevated privileges. This flaw occurs due to inadequate sanitization of filename inputs, rendering it possible for an attacker to upload malicious scripts that the server executes with system authority. Such exploitation could lead to severe operational disruptions, data breaches, and unauthorized access to sensitive information, significantly impacting organizational integrity and security.

Potential impact of CVE-2024-7399

Remote Code Execution: The vulnerability allows unauthenticated attackers to leverage a path traversal flaw to execute arbitrary code. This control can facilitate the deployment of malicious scripts or web shells, leading to unauthorized administrative access to the system, which can be detrimental to system integrity.
Data Breaches: By exploiting this vulnerability, attackers could gain unauthorized access to sensitive data managed through the MagicINFO platform. This risk is particularly acute as these displays often handle critical information in public and corporate environments, increasing the potential for significant data loss or disclosure.
Botnet Recruitment and DDoS Attacks: The presence of compromised MagicINFO servers has been linked to the Mirai botnet, a collection of hijacked devices used for launching Distributed Denial of Service (DDoS) attacks. This association highlights how exploitation of the vulnerability can contribute to broader cyber threats, using vulnerable systems as part of coordinated attacks against other targets.

CISA has reported CVE-2024-7399

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-7399 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

MagicINFO 9 Server Windows 0 < 21.1050

News Articles

The Hacker News

CVE-2025-29635 CVE-2024-7399

CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline

CISA adds 4 exploited CVEs including CVSS 9.9 SimpleHelp flaw, mandating FCEB mitigation by May 8, 2026 to reduce ransomware and botnet risk.

5 days ago

Rapid7

CVE-2024-7399 CVE-2025-22457

Metasploit Wrap-Up | Rapid7 Blog

Last updated at Thu, 22 May 2025 18:14:26 GMT This week's wrap-up includes many new modules, but notably, we've upgraded Metasploit loading. Thanks to bcoles, the bootup performance when searching for a...