Security researchers have confirmed that hackers are actively exploiting a critical vulnerability in Samsung’s digital signage management platform, potentially affecting thousands of displays in public spaces worldwide.
The vulnerability, identified as CVE-2024-7399, allows attackers to remotely execute malicious code on Samsung MagicINFO 9 Servers without requiring authentication.
This flaw affects systems used to control digital displays in retail stores, airports, hospitals, corporate buildings, and restaurants around the globe.
Samsung MagicINFO Server is a widely-deployed content management system that enables organizations to remotely manage and control digital signage displays.
The software is responsible for scheduling, distributing, displaying, and monitoring multimedia content across networks of Samsung displays.
The vulnerability was initially patched by Samsung in August 2024 with the release of version 21.1050.
At that time, Samsung described the issue as an “improper limitation of a pathname to a restricted directory vulnerability” that allows attackers to “write arbitrary files with system authority.”
However, the situation escalated on April 30, 2025, when security researchers at SSD-Disclosure published a detailed write-up along with proof-of-concept code demonstrating how to exploit the vulnerability.
The published exploit showed how attackers could achieve remote code execution by uploading a JSP web shell without any authentication required.
Just days after the proof-of-concept was released, Arctic Wolf security researchers confirmed seeing active exploitation attempts in the wild. The attacks follow the disclosed methodology.
- Attackers upload a malicious .jsp file through an unauthenticated POST request
- Path traversal techniques place the file in a web-accessible location.
- By visiting the uploaded file with a command parameter, attackers can execute arbitrary operating system commands.
“Given the low barrier to exploitation and the availability of a public proof of concept, threat actors are likely to continue targeting this vulnerability,” warned Arctic Wolf in their advisory.
In a separate confirmation, threat analyst Johannes Ullrich reported observing variants of the Mirai botnet malware leveraging CVE-2024-7399 to compromise vulnerable devices and expand their botnet operations.
Security experts are strongly advising all organizations using Samsung MagicINFO Server to immediately upgrade to version 21.1050 or later to mitigate the risk.
Organizations are also advised to implement network segmentation for digital signage systems and monitor for unusual traffic patterns or suspicious file uploads that could indicate compromise attempts.
You must be logged in to post a comment.