Instead of ads, the screen now displays the administrator console.
Hackers have begun actively exploiting a critical vulnerability in the Samsung MagicINFO 9 server, allowing remote takeover of devices and installation of malicious software. MagicINFO is a centralized content management system used for digital signage in retail stores, airports, hospitals, office buildings, and restaurants. The server controls the scheduling, uploading, and display of media on digital screens.
The vulnerability centers around the file upload feature used for updating media content on displays. Cybercriminals discovered a way to exploit this functionality to upload malicious code. The core issue lies in improper path validation: attackers can upload a JSP script outside the permitted directory and place it in a location accessible via the web.
The vulnerability, CVE-2024-7399 (CVSS score: 8.8), was first disclosed in August 2024 and patched in version 21.1050. The vendor described it as a path restriction issue that allows an attacker to write arbitrary files as the system user, enabling remote command execution on the server.
On April 30, 2025, researchers from SSD-Disclosure published a technical analysis and a working PoC exploit that enables unauthenticated command execution. The attacker sends a POST request with a malicious .jsp file, which is saved in a web-accessible directory. From there, simply visiting the file’s URL with a command parameter will display the command output directly in the browser.
Arctic Wolf reported that the exploit is already being used in real-world attacks just days after the PoC release. This shows how quickly threat actors have adopted the method in their campaigns. Experts warn that due to the low entry barrier and the public availability of exploit code, a surge in attacks is highly likely.
Confirmed in-the-wild exploitation has also been reported by analyst Johannes Ullrich, who observed the vulnerability being used by the Mirai botnet — one of the most notorious malware tools for hijacking IoT devices — further escalating the threat.
Administrators of Samsung MagicINFO 9 servers are strongly urged to update to version 21.1050 or newer immediately to prevent compromise. Given how easy the vulnerability is to exploit and how rapidly it is spreading among cybercriminals, delays could result in loss of control over critical infrastructure.
Would you like a visual summary or infographic of this case?
