CVE-2024-7399 Actively Exploited Samsung MagicINFO Critical Write Flaw

Key Takeaways

• CVE-2024-7399 in Samsung MagicINFO 9 Server is under active exploitation as of May 2025.
• The flaw allows attackers to write arbitrary files as system authority, enabling full server compromise.
• CISA, NIST, and Arctic Wolf confirm exploitation in the wild; urgent patching is required.

What Happened?

Samsung MagicINFO is a widely deployed enterprise content management system for digital signage, used by corporations, retailers, educational institutions, and public sector organizations to manage thousands of networked displays. On May 6, 2025, Arctic Wolf and CISA confirmed that CVE-2024-7399—a critical vulnerability in MagicINFO 9 Server—was being actively exploited in the wild. Attackers began targeting internet-exposed MagicINFO servers to gain a foothold in enterprise environments, leveraging the vulnerability to gain system-level access. The risk is especially acute because digital signage is often overlooked in security programs, yet is highly connected and can serve as a lateral movement vector for attackers.

The vulnerability was first reported to Samsung in early 2025, with a patch released in March. However, many organizations lagged in applying the update, and threat actors quickly began scanning for and exploiting unpatched servers. Detection of exploitation in the wild was made possible by security researchers monitoring attack infrastructure and identifying malicious file writes and suspicious network activity associated with MagicINFO endpoints. This prompted urgent advisories from both Samsung and government agencies, warning that exploitation was not theoretical but observed at scale. ¹, ²

Technical Details

CVE-2024-7399 is an improper limitation of a pathname to a restricted directory (CWE-22, CWE-434) in Samsung MagicINFO 9 Server before version 21.1050. The vulnerability exists in the server's file handling routines, allowing a remote, unauthenticated attacker to craft HTTP requests with malicious path traversal sequences (such as ../) to write arbitrary files outside the intended directory. If the attacker can upload a web shell or overwrite critical configuration files, they can execute arbitrary code with SYSTEM or root privileges, fully compromising the server.

Affected endpoints typically include web-facing management interfaces and file upload handlers. While some attack paths may require authentication, researchers have demonstrated that in many enterprise deployments, weak or default credentials and exposed interfaces make exploitation trivial. Once system-level access is obtained, attackers can:

• Deploy persistent backdoors
• Steal sensitive content or credentials
• Move laterally to other systems within the network
• Use compromised signage to display malicious or disruptive content

The high CVSS score reflects the ease of exploitation and the potential for attackers to automate scanning and compromise at scale. ¹, ³

Impact & Risks

The real-world consequences of CVE-2024-7399 are severe for organizations relying on digital signage:

• Full server compromise allows attackers to install malware, create persistent backdoors, or exfiltrate sensitive data from MagicINFO servers or connected networks.
• Attackers can use compromised signage as a launchpad for lateral movement, targeting more sensitive systems or spreading ransomware within the organization.
• Digital signage is often used for public-facing communications; compromise can result in defacement, misinformation campaigns, reputational damage, or even regulatory scrutiny if inappropriate or malicious content is displayed.
• In retail and public sector environments, disruption of signage can impact operations, customer experience, and safety communications.
• Supply chain risk: service providers managing signage for multiple clients may inadvertently propagate compromise across customer environments.

Recent campaigns have shown attackers leveraging similar vulnerabilities to stage multi-phase attacks, using initial access from signage infrastructure to escalate privileges and compromise business-critical assets. ¹, ²

Recommendations

Actionable steps for defenders:

• Patch Immediately: Upgrade all MagicINFO 9 Server instances to version 21.1050 or later. Validate that the patch has been applied successfully by checking server version and reviewing vendor documentation.
• Log Review: Audit server and application logs for evidence of suspicious file writes, unexpected uploads, or changes to configuration files. Look for anomalous HTTP requests containing path traversal patterns (e.g., ../) and unauthorized file modifications.
• Network Segmentation: Ensure MagicINFO servers are isolated from core business systems and not exposed directly to the internet. Place signage infrastructure in a dedicated VLAN or DMZ, restricting access to only necessary management systems.
• Access Controls: Enforce strong authentication for all management interfaces. Remove or disable default accounts, and require multi-factor authentication where possible.
• Continuous Monitoring: Monitor for indicators of compromise (IoCs) published by Samsung, CISA, and security researchers. Deploy endpoint detection and response (EDR) tools to MagicINFO servers if feasible.
• Incident Response: If compromise is suspected, immediately isolate affected servers, perform forensic analysis to identify persistence mechanisms, and reset credentials and secrets. Notify stakeholders and follow regulatory reporting requirements if sensitive data or public-facing content was impacted.

Both IT and security teams should coordinate on patch management, monitoring, and incident response playbooks to ensure rapid mitigation and recovery. ², ⁴

Timeline

• Early 2025: Security researchers identify and privately report the vulnerability in MagicINFO 9 Server to Samsung.
• March 2025: Samsung releases a patch (version 21.1050) and updates security advisories.
• April 2025: Initial reports of scanning and exploitation attempts targeting unpatched servers begin to surface in threat intelligence feeds.
• May 2025: Arctic Wolf and CISA confirm active exploitation in the wild and issue public advisories.

Final Thoughts

The active exploitation of CVE-2024-7399 is a wake-up call for organizations to treat digital signage and other niche enterprise infrastructure as critical attack surfaces. Too often, these systems are left unpatched and unmonitored, making them attractive entry points for opportunistic and targeted attackers. This incident demonstrates the importance of a holistic vulnerability management program that includes all internet-facing assets, not just core business applications.

Security teams should take this opportunity to review their asset inventories, validate patch coverage, and ensure that monitoring and response plans extend to signage and other "shadow IT" deployments. The broader trend of attackers targeting overlooked enterprise software underscores the need for ongoing vigilance, cross-team collaboration, and proactive engagement with vendor advisories and threat intelligence feeds.

Related Articles

• Craft CMS CVE-2025-32432 Zero-Day Exploit Chain
• CISA Includes Broadcom, Commvault Vulnerabilities in KEV
• Microsoft Makes Passkeys Default: Passwordless Sign-Ins for Billions of Users