cbcvebase.
CVE-2024-7399
published 2024-08-12

CVE-2024-7399: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-08
Exploited in the wild
EPSS
91.94%
99.8th percentile
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.

Affected

2 ranges
VendorProductVersion rangeFixed in
samsungmagicinfo_9_server< 21.1050.021.1050.0
samsung_electronicsmagicinfo_9_server< 21.105021.1050

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /MagicInfo/servlet/SWUpdateFileUploader?fileName=./../../../../../../server/{{filename}}.jsp&deviceType=abc&deviceModelName=test&swVer=123
path/MagicInfo/servlet/SWUpdateFileUploader
path/MagicInfo/{{filename}}.jsp
filename*.jsp (web shell uploaded via path traversal)
otherShodan query: Server: MagicInfo Premium Server
  • Detect unauthenticated POST requests to /MagicInfo/servlet/SWUpdateFileUploader with a fileName parameter containing path traversal sequences (e.g., ../../) and a .jsp extension, indicating attempted web shell upload.
  • Monitor for subsequent GET requests to /MagicInfo/*.jsp with a cmd or input query parameter, which indicates web shell execution after successful upload.
  • Exploitation is unauthenticated — no session or auth token is required. Alert on any POST to SWUpdateFileUploader from unauthenticated sessions.
  • Use Shodan to identify internet-exposed Samsung MagicINFO 9 Server instances via the HTTP Server header 'MagicInfo Premium Server' and prioritize patching or network isolation.
  • Version 21.1050.0 has been independently verified as still vulnerable; do not rely solely on version checks for patch validation — verify the specific file upload path traversal is blocked.
  • ·The August 2024 patch (version 21.1050) may be incomplete or address a different but similar vulnerability. Version 21.1050.0 has been confirmed vulnerable to the publicly available PoC exploit. Do not treat version 21.1050 as a safe baseline.
  • ·There is active debate about whether the SSD-Disclosure PoC targets CVE-2024-7399 or an unfixed zero-day; Samsung's download portal reportedly does not offer the latest firmware version, complicating remediation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.