🔴 CVE-2024-7399

Path traversal vulnerability in Samsung MagicINFO 9 Server allows remote attackers to write arbitrary files with system authority. The vulnerability is actively exploited in the wild and listed in CISA KEV catalog.

← Back to Overview
HIGH_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2024-08-09

Added to CISA KEV: 2026-04-24 623 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2024-7399 is a critical vulnerability affecting the Samsung MagicINFO 9 Server, a management platform for digital signage displays. Below is a summary of the known details regarding this vulnerability.

Overview and Impact
  • Vulnerability Type: Improper limitation of a pathname to a restricted directory (Path Traversal) [5].
  • Impact: Successful exploitation allows unauthenticated attackers to write arbitrary files to the server with system-level authority [3].
  • Remote Code Execution (RCE): By uploading specially crafted JavaServer Pages (JSP) files, attackers can achieve remote code execution on the affected server [1].
Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability has been observed being exploited in the wild. Activity increased significantly in early May 2025, shortly after technical details and a proof-of-concept (PoC) exploit were published by SSD Disclosure [1].
  • Threat Actors: There are reports of threat actors leveraging this vulnerability to deploy variants of the Mirai botnet on compromised systems [6].
  • Attack Requirements:
* Authentication: None required; the vulnerability is exploitable by unauthenticated attackers [3]. * Access: Network-based. * User Interaction: None required.
Proof-of-Concept Availability
  • A functional proof-of-concept (PoC) exploit was made publicly available by SSD Disclosure, which facilitated the surge in active exploitation observed in May 2025 [1].
Affected Versions and Mitigation Status
  • Affected Versions: Samsung MagicINFO 9 Server versions prior to 21.1050 [5].
  • Patch Status:
* Samsung initially released a patch in August 2024. However, subsequent research in May 2025 demonstrated that the original patch was either incomplete or that a separate, related vulnerability existed, as the PoC exploit remained effective against the "patched" versions [2]. * In May 2025, Samsung released a hotfix (version 21.1052) to address the issue, which was then tracked under a new identifier, CVE-2025-4632, to resolve the remaining path traversal concerns [4].
  • Recommendation: Organizations using Samsung MagicINFO 9 Server should ensure they are updated to the latest available version (at least 21.1052 or higher) to mitigate both the original and the subsequent path traversal vulnerabilities.

Sources

  1. CVE-2024-7399 - Arctic Wolf

    At the start of May 2025, Arctic Wolf observed in-the-wild exploitation of a vulnerability associated with Samsung MagicINFO 9 Server, shortly ... The vulnerability described in the SSD disclosure research article allows unauthenticated threat actors to write arbitrary files to the server, which can…

  2. Follow-Up: Samsung Patches Zero-Day Vulnerability in... - Arctic Wolf

    Samsung had patched CVE-2024-7399, a vulnerability which in August 2024 following responsible disclosure by security researchers. However, in May 2025, Huntress demonstrated that the available patch was either incomplete or that a separate vulnerability still existed, as the proof-of-concept exploit…

  3. Exploited: Vulnerability in software for managing Samsung digital ...

    “CVE-2024-7399 arises from a flaw in the input verification logic of Samsung MagicINFO 9 Server, which improperly sanitizes a filename input. ... “CVE-2024-7399 arises from a flaw in the input verification logic of Samsung MagicINFO 9 Server, which improperly sanitizes a filename input. This process…

  4. Samsung patches MagicINFO 9 Server vulnerability exploited by...

    Then, on May 7, 2025, Samsung pushed out MagicINFO 9 Server (Hotfix) 21.1052. The company’s page for security updates says that they have patched CVE-2025-4632, an improper limitation of a pathname to a restricted directory vulnerability that allows attackers to write arbitrary file as system author…

  5. NVD - CVE-2024-7399

    An official website of the United States government NVD MENU ... CVE-2024-7399 Detail. Description. Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.Reference CI…

  6. Threat Actors Ramp Up Exploitation of Widely

    Threat actors are actively exploiting vulnerabilities in outdated and unpatched systems to deploy Mirai botnet variants and carry out targeted attacks. ... Additionally, a recently patched Windows vulnerability has been exploited as a zero-day by threat actors linked to the Play ransomware group in…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed