Security researchers have confirmed active exploitation of a critical vulnerability in Samsung’s MagicINFO 9 Server (CVE-2024-7399), with recent attacks linking the flaw to Mirai botnet deployment.
The vulnerability enables unauthenticated attackers to upload arbitrary files and achieve remote code execution, posing a serious risk to digital signage systems managed by the software.
Arctic Wolf was the first to report in-the-wild exploitation yesterday noting that attacks began shortly after a detailed technical analysis and proof-of-concept (PoC) exploit were published on April 30 by SSD Secure Disclosure. The security firm observed attackers leveraging the flaw to write malicious JavaServer Pages (JSP) files, effectively giving them the ability to execute commands on vulnerable servers with system-level privileges. This marks a sharp escalation from the flaw’s initial disclosure in August 2024, when Samsung quietly issued a patch with little accompanying detail and no evidence of exploitation at the time.
MagicINFO is Samsung’s proprietary content management system designed to centrally manage and schedule digital content across its commercial display products. The platform is widely used in retail, hospitality, transportation hubs, and enterprise environments to power smart signage solutions — making it a high-value target due to its visibility and network reach.
The vulnerability, identified as CVE-2024-7399, stems from improper input validation in the SWUpdateFileUploader endpoint, implemented by the SWUpdateFileUploadServlet class. According to SSD’s technical breakdown, the endpoint fails to enforce authentication checks, does not sanitize filenames against path traversal attempts, and ignores file extension validation. This allows attackers to upload JSP-based webshells and gain direct execution control on the server. Samsung addressed the issue in version 21.1050 of MagicINFO Server but did not initially highlight the potential for remote code execution or the risk to unauthenticated systems.
Today, researchers at the SANS Internet Storm Center reported seeing active exploitation involving familiar Mirai botnet behaviors. A sample attack involved uploading a malicious shell named 1746466018shell.jsp using a crafted POST request, which in turn downloaded and executed a shell script (ohshit.sh) from a remote IP address. The script fetched multiple architecture-specific binaries labeled “boatnet” using wget, curl, tftp, and ftpget, designed to ensure persistence and compatibility across various IoT devices. These binaries were identified as variants of the Mirai malware, a notorious botnet used in large-scale DDoS attacks.
The public release of a PoC by SSD likely accelerated exploitation. Their April 30 write-up demonstrated a trivial exploitation path using only a curl command to upload a webshell to the target server, followed by direct interaction with the malicious script via a browser. The low complexity of the attack, combined with the critical nature of the systems involved, makes the situation particularly urgent.
SSD Secure Disclosure
Organizations running Samsung MagicINFO Server should take the following actions immediately:
- Upgrade to version 21.1050 or later, which includes the vendor-provided patch to address CVE-2024-7399.
- Audit server logs for suspicious file uploads to the /MagicInfo/servlet/SWUpdateFileUploader endpoint.
- Isolate affected systems from the internet if patching is not immediately feasible.
- Implement WAF rules or URL filtering to block suspicious POST requests with multipart data targeting vulnerable endpoints.
- Harden exposed servers by enforcing authentication and disabling unused services.
Leave a Reply