The patches for an exploited Samsung MagicINFO content management system (CMS) vulnerability appear ineffective as threat actors are exploiting it against updated systems, security firm Huntress warns.
The issue, tracked as CVE-2024-7399 (CVSS score of 8.8) and described as the improper sanitization of user input, allows unauthenticated attackers to upload JSP files and execute arbitrary code on the server with system privileges.
Fixes for the flaw were announced in August 2024, while its in-the-wild exploitation was flagged earlier this week, after proof-of-concept (PoC) exploit code was made public.
Cybersecurity firm Arctic Wolf, which warned of the bug’s exploitation, urged users to update to MagicINFO 9 Server version 21.1050 or newer to stay protected, but now Huntress says that the 21.1050 release too is affected by the vulnerability.
“Huntress also observed exploitation in the wild; however, some of the systems impacted had the latest available patch, which strengthened the assumption that the latest available version (21.1050.0) was indeed still vulnerable,” the security firm notes.
The publicly available PoC, Huntress says, works against versions 21.1050.0 and 21.1040.2 of MagicINFO 9 Server, meaning that no fix is currently available for the bug.
“It can only be concluded that the patch from August 2024 was either incomplete or for a separate, but similar, vulnerability,” Huntress says.
The company’s report validates an SSD Disclosure advisory stating that the latest MagicINFO 9 Server release is impacted by multiple vulnerabilities that allow unauthenticated attackers to execute arbitrary server-side code.
“These vulnerabilities together allow an unauthenticated user to upload a web shell and achieve remote code execution under the Apache Tomcat process,” Huntress notes.
According to SSD Disclosure, Samsung was notified of these security defects on January 12, 2025, but marked the report as duplicate.
Shortly after the bug’s exploitation came to light, SANS’s Johannes Ullrich warned that a Mirai-based botnet has been targeting vulnerable MagicINFO CMS instances.
Huntress recommends that users disconnect their MagicINFO 9 servers from the internet until a proper patch is released.
Related: Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise
Related: Second OttoKit Vulnerability Exploited to Hack WordPress Sites
Related: Android Update Patches FreeType Vulnerability Exploited as Zero-Day
Related: PoC Published for Exploited SonicWall Vulnerabilities