TL;DR: While reports have indicated the latest version of Samsung MagicINFO 9 Server fixes a high-severity flaw (CVE-2024-7399), Huntress has independently verified that the latest version (21.1050.0) is vulnerable to a publicly available proof-of-concept (PoC). We have also observed exploitation in the wild impacting the latest version. Users should ensure their MagicINFO 9 Server is not internet-facing until a fix is available.
Beginning on January 12, 2025, a researcher working with SSD Disclosure reportedly notified Samsung about a number of vulnerabilities present in MagicINFO 9 Server, its content management system used to control digital signage displays. These vulnerabilities together allow an unauthenticated user to upload a web shell and achieve remote code execution under the Apache Tomcat process.
This was reportedly marked as a duplicate issue by Samsung, and after more than 90 days from the time of reporting, this information was made available in the following advisory on April 30.
The blog post details the affected version as MagicINFO 9 Server 21.1050.0, which at the time of publishing was the latest version made available. Despite this, in August 2024, a vulnerability with a very similar description was registered as CVE-2024-7399, and a patch was made available at the time.
Within days of publishing the public disclosure by SSD Disclosure, Arctic Wolf observed exploitation in the wild and publicly reported this as being the result of CVE-2024-7399, stating systems affected were versions prior to 21.1050. This was quickly picked up by media outlets with the same narrative that systems running version 21.1050 were safe. Huntress also observed exploitation in the wild; however, some of the systems impacted had the latest available patch, which strengthened the assumption that the latest available version (21.1050.0) was indeed still vulnerable, as mentioned by SSD Disclosure.
Huntress was able to independently verify that version 21.1050.0 and 21.1040.2 of MagicINFO 9 Server was indeed still vulnerable, and that there are currently no patches available. It can only be concluded that the patch from August 2024 was either incomplete or for a separate, but similar, vulnerability. Huntress has reached out to the team at Samsung, notifying them of this, but at the time of writing, is yet to receive a response.
Figure 1: View of Config File with Version Number and Webshell
As seen in the video above, MagicINFO 9 Server version 21.1050 is vulnerable to the publicly reported PoC.
Johannes Ullrich also reported on a version of the Mirai botnet, which is now exploiting this unpatched vulnerability in the wild.
At this point in time it’s important to ensure MagicINFO 9 Server is not internet-facing until a proper update has been released and patch applied.
