Update – Recent reports confirm that the previously recommended fixed version (21.1050) of Samsung MagicINFO 9 Server remains vulnerable to a vulnerability being exploited in the wild. There is currently no official patch available, and the only mitigation is to ensure MagicINFO Server is not internet-facing.
At the start of May 2025, Arctic Wolf observed in-the-wild exploitation of a vulnerability associated with Samsung MagicINFO 9 Server, shortly after the publication of technical details and a proof-of-concept (PoC) exploit by SSD disclosure. The vulnerability described in the SSD disclosure research article allows unauthenticated threat actors to write arbitrary files to the server, which can lead to remote code execution if specially crafted JavaServer Pages (JSP) files are uploaded.
While Samsung had originally noted the existence of CVE-2024-7399 in August 2024 following responsible disclosure by security researchers, new research suggests that the patch was either incomplete or that a separate vulnerability still exists. Given the public availability of a PoC exploit and the continued lack of a functional fixed version, Arctic Wolf assesses that threat actors are likely to continue exploiting this vulnerability.
Arctic Wolf will continue to monitor for malicious post-compromise activities related to this vulnerability, and will alert Managed Detection and Response customers as required when malicious activities are observed.
Recommendation
Remove Publicly-Exposed Instances of Samsung MagicINFO 9 Server From the Internet
As a security best practice, Arctic Wolf strongly recommends ensuring that any Samsung MagicINFO 9 Server instances are not left exposed to the public internet. Even after a patch becomes available, to minimize the risk of new vulnerabilities, Arctic Wolf continues to recommend keeping such services non-internet-facing unless absolutely necessary.
References
