CVE-2024-7399
published 2024-08-12CVE-2024-7399: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-08
Exploited in the wild
EPSS
91.94%
99.8th percentile
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| samsung | magicinfo_9_server | < 21.1050.0 | 21.1050.0 |
| samsung_electronics | magicinfo_9_server | < 21.1050 | 21.1050 |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /MagicInfo/servlet/SWUpdateFileUploader?fileName=./../../../../../../server/{{filename}}.jsp&deviceType=abc&deviceModelName=test&swVer=123↗
- →Detect unauthenticated POST requests to /MagicInfo/servlet/SWUpdateFileUploader with a fileName parameter containing path traversal sequences (e.g., ../../) and a .jsp extension, indicating attempted web shell upload. ↗
- →Monitor for subsequent GET requests to /MagicInfo/*.jsp with a cmd or input query parameter, which indicates web shell execution after successful upload. ↗
- →Exploitation is unauthenticated — no session or auth token is required. Alert on any POST to SWUpdateFileUploader from unauthenticated sessions. ↗
- →Use Shodan to identify internet-exposed Samsung MagicINFO 9 Server instances via the HTTP Server header 'MagicInfo Premium Server' and prioritize patching or network isolation. ↗
- →Version 21.1050.0 has been independently verified as still vulnerable; do not rely solely on version checks for patch validation — verify the specific file upload path traversal is blocked. ↗
- ·The August 2024 patch (version 21.1050) may be incomplete or address a different but similar vulnerability. Version 21.1050.0 has been confirmed vulnerable to the publicly available PoC exploit. Do not treat version 21.1050 as a safe baseline. ↗
- ·There is active debate about whether the SSD-Disclosure PoC targets CVE-2024-7399 or an unfixed zero-day; Samsung's download portal reportedly does not offer the latest firmware version, complicating remediation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9x68-238r-w7mq: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21
ghsa_unreviewed·2024-08-12
CVE-2024-7399 [HIGH] CWE-22 GHSA-9x68-238r-w7mq: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.
VulnCheck
Samsung magicinfo_9_server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2024·CVSS 8.8
CVE-2024-7399 [HIGH] Samsung magicinfo_9_server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Samsung magicinfo_9_server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.
Affected: Samsung magicinfo_9_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://arcticwolf.com/resources/blog/cve-2024-7399/; https://isc.sans.edu/diary/rss/31920; https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw; https://app.crowdsec.net/cti/cve-explorer/CVE-2024-7399; https://dashboard.shadowserver.org/statistics/honeypot/vu
CISA
Samsung MagicINFO 9 Server Path Traversal Vulnerability
cisa·2026-04-24·CVSS 7.5
CVE-2024-7399 [HIGH] CWE-22 Samsung MagicINFO 9 Server Path Traversal Vulnerability
Vulnerability: Samsung MagicINFO 9 Server Path Traversal Vulnerability
Affected: Samsung MagicINFO 9 Server
Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399
Remediation Due Date: 2026-05-08
Suricata
ET WEB_SPECIFIC_APPS Samsung MagicINFO SWUpdateFileUploader fileName parameter Directory Traversal Attempt (CVE-2024-7399)
suricata·2025-05-06·CVSS 8.8
CVE-2024-7399 [HIGH] ET WEB_SPECIFIC_APPS Samsung MagicINFO SWUpdateFileUploader fileName parameter Directory Traversal Attempt (CVE-2024-7399)
ET WEB_SPECIFIC_APPS Samsung MagicINFO SWUpdateFileUploader fileName parameter Directory Traversal Attempt (CVE-2024-7399)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Samsung MagicINFO SWUpdateFileUploader fileName parameter Directory Traversal Attempt (CVE-2024-7399)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/MagicInfo/servlet/SWUpdateFileUploader"; fast_pattern; startswith; content:"fileName|3d|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:cve,2024-7399; reference:url,ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/; classtype:attempted-admin; sid:2062136; rev:1; metadata:affected_product Samsung, attack_target Web_Server, tls_state TLSDecrypt, c
Nuclei
Samsung MagicINFO 9 Server 21.1050.0 - Remote Code Execution
nuclei·CVSS 7.5
CVE-2024-7399 [HIGH] Samsung MagicINFO 9 Server 21.1050.0 - Remote Code Execution
Samsung MagicINFO 9 Server 21.1050.0 - Remote Code Execution
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.
Template:
id: CVE-2024-7399
info:
name: Samsung MagicINFO 9 Server 21.1050.0 - Remote Code Execution
author: iamnoooob,pdresearch
severity: high
description: |
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.
impact: |
Authenticated attackers can exploit path traversal to write arbitrary JSP files with system privileges, achieving remote code execution and complete server compromise.
remediation: |
Upda
Metasploit
Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)
metasploit·CVSS 7.5
CVE-2024-7399 [HIGH] Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)
Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)
Remote Code Execution in Samsung MagicINFO 9 Server <= 21.1050.0. Remote code execution can be obtained by exploiting the path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet, which can be queried by an unauthenticated user to upload a JSP shell. By default, the application listens on TCP ports 7001 (HTTP) and 7002 (HTTPS) on all network interfaces and runs in the context of NT AUTHORITY\SYSTEM.
Hackernews
CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
blogs_hackernews·2026-04-25·CVSS 9.9
CVE-2024-57726 [CRITICAL] CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities impacting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The list of vulnerabilities is below -
CVE-2024-57726 (CVSS score: 9.9) - A missing authorization vulnerability in SimpleHelp that could allow low-privileged technicians to create API keys with excessive permissions, which can then be used to escalate privileges to the server admi
Bleepingcomputer
Samsung patches actively exploited zero-day reported by WhatsApp
blogs_bleepingcomputer·2025-09-12·CVSS 8.8
CVE-2025-21043 [HIGH] Samsung patches actively exploited zero-day reported by WhatsApp
## Samsung patches actively exploited zero-day reported by WhatsApp
## Sergiu Gatlan
Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices.
Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13.
As Samsung explains in a recently updated advisory , this vulnerability was discovered in libimagecodec.quram.so (a closed-source image parsing library developed by Quramsoft that implements support for various image formats) and is caused by an out-of-bounds write weakness that allows attackers to execute malicious code on vulnerable devices remotely .
"Out-of-bounds Write in libimagecodec.quram.s
Checkpoint
12th May – Threat Intelligence Report
blogs_checkpoint·2025-05-12
CVE-2025-27363 12th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The UK’s Legal Aid Agency has suffered a cyberattack. The agency, which operates under the Ministry of Justice to provide billions in legal aid funding, has stated that financial information relating to legal aid providers may have been accessed by a third party.
UK based Education giant Pearson disclosed it had suffered a cyber
Huntress
Rapid Response: Samsung MagicINFO 9 Server Flaw
blogs_huntress·2025-05-07·CVSS 7.5
CVE-2024-7399 [HIGH] Rapid Response: Samsung MagicINFO 9 Server Flaw
TL;DR: While reports have indicated the latest version of Samsung MagicINFO 9 Server fixes a high-severity flaw (CVE-2024-7399), Huntress has independently verified that the latest version (21.1050.0) is vulnerable to a publicly available proof-of-concept (PoC). We have also observed exploitation in the wild impacting the latest version. Users should ensure their MagicINFO 9 Server is not internet-facing until a fix is available.
Beginning on January 12, 2025, a researcher working with SSD Disclosure reportedly notified Samsung about a number of vulnerabilities present in MagicINFO 9 Server, its content management system used to control digital signage displays. These vulnerabilities together allow an unauthenticated user to upload a web shell and achieve remote code execution under the A
Bleepingcomputer
Samsung MagicINFO 9 Server RCE flaw now exploited in attacks
blogs_bleepingcomputer·2025-05-06·CVSS 8.8
[HIGH] Samsung MagicINFO 9 Server RCE flaw now exploited in attacks
## Samsung MagicINFO 9 Server RCE flaw now exploited in attacks
## Bill Toulas
Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware.
Samsung MagicINFO Server is a centralized content management system (CMS) used to remotely manage and control digital signage displays made by Samsung. It is used by retail stores, airports, hospitals, corporate buildings, and restaurants, where there's a need to schedule, distribute, display, and monitor multimedia content.
The server component features a file upload functionality intended for updating display content, but hackers are abusing it to upload malicious code.
The flaw, tracked under CVE-2024-7399 , was first publicly disclosed in August 2024
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Huntress
Rapid Response: Samsung MagicINFO 9 Server Flaw | Huntress
blogs_huntress·CVSS 7.5
CVE-2024-7399 [HIGH] Rapid Response: Samsung MagicINFO 9 Server Flaw | Huntress
TL;DR: While reports have indicated the latest version of Samsung MagicINFO 9 Server fixes a high-severity flaw (CVE-2024-7399), Huntress has independently verified that the latest version (21.1050.0) is vulnerable to a publicly available proof-of-concept (PoC). We have also observed exploitation in the wild impacting the latest version. Users should ensure their MagicINFO 9 Server is not internet-facing until a fix is available.
Beginning on January 12, 2025, a researcher working with SSD Disclosure reportedly notified Samsung about a number of vulnerabilities present in MagicINFO 9 Server, its content management system used to control digital signage displays. These vulnerabilities together allow an unauthenticated user to upload a web shell and achieve remote code execution under the A
Greynoiseio
NoiseLetter May 2025
blogs_greynoiseio
NoiseLetter May 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-08-12
Published
2026-04-24
Added to CISA KEV
Exploited in the wild