- Security researchers have seen a bug in Samsung MagicINFO 9 Server abused in the wild
- It is being used to deploy malware
- The bug was fixed in August 2024, so users should patch now
Cybercriminals are abusing a vulnerability in Samsung MagicINFO 9 Server that was patched almost a year ago.
Cybersecurity researchers SSD-Disclosure published an in-depth analysis and a proof-of-concept (PoC) of the threat against the company’s digital signage content management system (CMS).
It is used to manage, schedule, and monitor multimedia content across Samsung smart displays, and is a popular solution in different industries such as retail, or transportation.
PoC and abuse
In August 2024, Samsung announced fixing a remote code execution vulnerability. It described it as an “improper limitation of a pathname to a restricted directory vulnerability allowing attackers to write arbitrary files as system authority”. It was tracked as CVE-2024-7399, and was given a severity score of 8.8/10 (high).
BleepingComputer described it as an ability to upload malware through a file upload functionality intended for updating display content. Samsung addressed it in version 21.1050.
Despite being fixed almost a year ago, threat actors are finding unpathed endpoints to target. SSD-Disclosure said attackers are uploading malicious .jsp files via an unauthenticated POST request.
In addition, security firm Arctic Wolf noted how, several days after the PoC was released, it observed the flaw being leveraged in attacks.
“Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability,” the researchers said.
We don’t know how successful these attacks are, who the threat actors are, or how many organizations fell victim. We also don’t know if the threat actors are focusing on any specific industry, or if they are simply casting a wide net.
In any case, organizations using Samsung MagicINFO 9 Server are advised to apply the latest patch, or at least bring their software to version 21.1050 to mitigate the risks.
Via BleepingComputer
