The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical vulnerability, CVE-2024-7399, affecting Samsung's MagicINFO 9 Server, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, identified as a path traversal flaw, allows unauthenticated attackers to upload arbitrary files and execute malicious code with system-level privileges.

Vulnerability Details

CVE-2024-7399 arises from improper input validation in the /MagicInfo/servlet/SWUpdateFileUploader endpoint of MagicINFO 9 Server versions prior to 21.1050. The flaw permits attackers to exploit path traversal sequences, enabling the upload of malicious JavaServer Pages (JSP) files that can be executed with system-level privileges. This vulnerability has been actively exploited in the wild, with reports indicating that even systems updated to version 21.1050 remain susceptible.

Impact and Exploitation

The exploitation of this vulnerability poses significant risks, including unauthorized access, data exfiltration, and potential system compromise. Security researchers have observed active exploitation, with threat actors deploying botnets to target vulnerable MagicINFO servers.

Recommendations

Given the severity and active exploitation of CVE-2024-7399, organizations utilizing Samsung MagicINFO 9 Server should take immediate action:

  • Update Software: Ensure that MagicINFO 9 Server is updated to the latest version.

  • Restrict Network Access: Limit internet exposure of MagicINFO servers by implementing strict access controls and network segmentation.

  • Monitor Systems: Conduct regular audits of server logs for signs of unauthorized file uploads or suspicious activities.

  • Apply Security Patches: Stay informed about and apply any security patches released by Samsung to address this vulnerability.

By promptly addressing this vulnerability, organizations can mitigate the risk of exploitation and enhance the security of their digital signage infrastructure.