TP-EXP-2024-0004 CVE-2024-7399 high Patched AI Draft

Samsung MagicINFO 9 Server Unauthenticated File Upload to Remote Code Execution (CVE-2024-7399)

CVE CVE-2024-7399 Platform Samsung MagicINFO 9 Server <= 21.1050 Type Path Traversal
Severity HIGH
Status Patched
Zero-Day No
Disclosed August 1, 2024
Patched August 1, 2024
CISA KEV Listed

Severity Assessment

  • Exploitability: 9/10 — Unauthenticated endpoint accessible over the internet; public PoC and Metasploit module available; exploitation actively observed in Mirai campaigns
  • Impact: 9/10 — Arbitrary code execution with SYSTEM-level authority on the MagicINFO server; full control of all managed digital signage displays and underlying server host
  • Weaponization Risk: 9/10 — Metasploit module merged (rapid7/metasploit-framework PR #20188); active exploitation by botnet operators confirmed by Arctic Wolf May 2025
  • Patch Urgency: 10/10 — CISA KEV-listed (2026-04-24), federal deadline 2026-05-08; exploitation continues despite patch availability since August 2024
  • Detection Coverage: 6/10 — JSP file creation in web-accessible directories is detectable; unauthenticated upload attempts appear in web server logs and can be alerted on

Summary

CVE-2024-7399 is a path traversal vulnerability in Samsung MagicINFO 9 Server, a content management system used to manage and remotely control digital signage displays in retail, healthcare, transportation, and enterprise environments. The flaw exists in the /MagicInfo/servlet/SWUpdateFileUploader endpoint, which processes firmware and software update file uploads. The endpoint fails to validate user authentication and improperly sanitizes filename inputs, allowing an unauthenticated remote attacker to traverse the file system and write arbitrary files — including executable JavaServer Pages (JSP) — to web-accessible directories.

Once an attacker places a JSP web shell on the server, it is executed by the servlet container with the privileges of the MagicINFO server process, which typically runs with SYSTEM-level authority on Windows or root-equivalent privileges on Linux. The result is unauthenticated, pre-authentication remote code execution on the MagicINFO server.

The vulnerability carries a CVSS 3.1 base score of 8.8 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Samsung patched the vulnerability in August 2024 in MagicINFO Server V9 version 21.1050.0. Active exploitation was first confirmed in May 2025 by Arctic Wolf following the public release of a proof-of-concept exploit. Exploitation campaigns observed in May 2025 leveraged the vulnerability to install Mirai botnet agents and achieve broader DDoS infrastructure. A Metasploit module for CVE-2024-7399 was subsequently merged into the framework. CISA added CVE-2024-7399 to the Known Exploited Vulnerabilities catalog on 2026-04-24 with a federal remediation deadline of 2026-05-08.

Exploit Chain

Stage 1: Target Discovery

The attacker identifies internet-exposed Samsung MagicINFO 9 Server instances via passive scanning (Shodan, Censys) or active scanning for the /MagicInfo/ web root. MagicINFO servers are typically exposed on port 80 or 443 and serve a recognizable web interface, making fingerprinting straightforward. Scanning campaigns preceding observed exploitation activity were logged by multiple threat intelligence platforms beginning in late April 2025.

Stage 2: Malicious File Upload via Vulnerable Endpoint

The attacker sends an HTTP POST request to the /MagicInfo/servlet/SWUpdateFileUploader endpoint with a crafted multipart file upload payload. The filename field contains a path traversal sequence (e.g., ../../webapps/ROOT/shell.jsp) that, when concatenated with the server’s base upload path, resolves to a web-accessible directory. Because the endpoint performs no authentication check and no extension filtering, the server writes the attacker’s JSP payload to the specified path without challenge.

Stage 3: Web Shell Execution and System Compromise

The attacker issues an HTTP GET request to the newly written JSP file (e.g., http://target/shell.jsp?cmd=whoami). The servlet container executes the JSP, returning command output. The attacker now has arbitrary code execution with SYSTEM-level privileges on the server host.

Stage 4: Post-Exploitation Payload Deployment

In campaigns observed by Arctic Wolf in May 2025, attackers used the web shell execution capability to download and execute Mirai botnet agent binaries, establishing the compromised MagicINFO server as a DDoS-capable bot. Additional observed activity included credential harvesting from the MagicINFO configuration database (which contains credentials for managed display devices), lateral movement to the enterprise network hosting the MagicINFO server, and installation of persistent remote access tools alongside the JSP web shell.

Detection Guidance

Web server log analysis:

  • Alert on POST requests to /MagicInfo/servlet/SWUpdateFileUploader from external IP addresses, particularly with filenames containing ../, %2e%2e, or .jsp, .war, .jspx extensions
  • Monitor for HTTP requests to .jsp files in directories outside of the official MagicINFO web application layout — these indicate web shell staging

File system monitoring:

  • Audit the MagicINFO web root for new .jsp or .jspx files not present in the original installation; compare against a known-good baseline
  • Monitor file system write operations originating from the Java servlet container process to web-accessible directories outside of expected MagicINFO upload paths

Process and network telemetry:

  • Alert on child processes spawned by the MagicINFO Java process (e.g., cmd.exe, powershell.exe on Windows; /bin/sh, wget, curl on Linux) — web shell commands execute as subprocesses of the servlet container
  • Monitor for outbound connections from the MagicINFO server to unusual external IP addresses, particularly binary download requests consistent with Mirai agent retrieval (HTTP GET for small ELF or PE binaries to non-CDN destinations)

Vulnerability scanning:

  • Assess all MagicINFO 9 Server instances against version 21.1050.0 (minimum patched); inventory both internet-facing and internally accessible deployments
  • Validate patch application — reports indicate some environments exhibited continued vulnerability post-update; confirm patched behavior by verifying unauthenticated upload attempts are rejected with HTTP 401 or 403

Indicators of Compromise

The following indicators are derived from Arctic Wolf incident response telemetry published May 2025.

  • Unexpected .jsp or .jspx files in the MagicINFO web application directory tree not present in the vendor-provided installation package
  • POST requests in web server logs targeting /MagicInfo/servlet/SWUpdateFileUploader with filenames containing traversal sequences or JSP extensions
  • Outbound connections from the MagicINFO server host to IP ranges associated with Mirai command-and-control infrastructure
  • Child processes of the MagicINFO Java process executing system commands, download utilities (wget, curl, certutil), or scripting interpreters
  • Entries in the MagicINFO audit log for file upload operations not initiated by legitimate administrator accounts, or audit log gaps/deletions that may indicate attacker cleanup activity

Disclosure Timeline

DateEvent
2024-08-01Samsung releases MagicINFO Server V9 version 21.1050.0 patching CVE-2024-7399 and publishes security advisory
2025-04-30 (approx.)Proof-of-concept exploit code for CVE-2024-7399 published publicly
2025-05-05Active exploitation of CVE-2024-7399 first observed in the wild by Arctic Wolf; campaigns deploying Mirai botnet agents and JSP web shells confirmed
2025-05-06Arctic Wolf and Help Net Security publish exploitation alerts; Metasploit module (PR #20188) merged into rapid7/metasploit-framework
2026-04-24CISA adds CVE-2024-7399 to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of 2026-05-08

Sources & References

samsungmagicinfodigital-signagepath-traversalfile-uploadunauthenticated-rcejsp-webshellmirai-botnetcisa-kevmetasploit