As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays. The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files.
This high-severity vulnerability had originally been made public by Samsung in August 2024 following responsible disclosure by security researchers, with no exploitation reported at the time. On 30 April 2025, a new research article was published along with technical details and a proof-of-concept (PoC) exploit. Exploitation was then observed within days of that publication.
Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability. Arctic Wolf will continue to monitor for malicious post-compromise activities related to this vulnerability, and will alert Managed Detection and Response customers as required when malicious activities are observed.
Technical details
CVE-2024-7399 arises from a flaw in the input verification logic of Samsung MagicINFO 9 Server, which improperly sanitises a filename input. This process is performed without validating the file extension or checking if the user performing the request is authenticated. As a result, unauthenticated threat actors can upload JSP files and execute arbitrary code with system authority on vulnerable servers.
Recommendations for CVE-2024-7399
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade Samsung MagicINFO to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Samsung MagicINFO 9 Server | Prior to 21.1050 | 21.1050 and later |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
