While reports suggest that the latest version of Samsung MagicINFO 9 Server (21.1050.0) addresses the high-severity vulnerability tracked as CVE-2024-7399, Huntress has independently confirmed that this version remains vulnerable to a publicly available proof-of-concept (PoC).
Huntress has also observed active exploitation of this flaw in the wild, affecting even the most recent version.
Until a proper fix is released, Huntress says MagicINFO 9 Server should not be exposed to the internet.
On 12 January, a researcher working with SSD Disclosure reportedly notified Samsung of several vulnerabilities in MagicINFO 9 Server, Samsung’s content management system for controlling digital signage displays.
An unauthenticated attacker can chain these flaws to upload a web shell and gain remote code execution via the Apache Tomcat process.
Samsung reportedly marked the issue as a duplicate, and over 90 days later, on April 30, an advisory was published disclosing the vulnerabilities. The blog post identified MagicINFO 9 Server version 21.1050.0 as affected, which was the latest version at the time of publication.
Despite this, a vulnerability with a nearly identical description was later assigned CVE-2024-7399 in August 2024, when Samsung issued a patch.
Shortly after SSD Disclosure’s public report, Arctic Wolf observed in-the-wild exploitation and attributed it to CVE-2024-7399, indicating that systems running versions prior to 21.1050 were impacted.
The narrative suggesting that version 21.1050 was not affected, was widely echoed by media outlets.
However, Huntress also detected exploitation in the wild, including on systems running the latest patch. This reinforced suspicions raised by SSD Disclosure that version 21.1050.0 remains vulnerable.
Huntress subsequently verified that both versions 21.1050.0 and 21.1040.2 are still susceptible to attack, with no working patch available at the time of writing.
This suggests that the August 2024 patch was either incomplete or addressed a different, though related, issue. Huntress has informed Samsung but has yet to receive a response.
Security researcher Johannes Ullrich has also reported that a variant of the Mirai botnet is now exploiting this unpatched vulnerability in the wild.
For now, it is critical to ensure that MagicINFO 9 Server is not accessible from the internet until a comprehensive update is issued and applied.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.