CVE-2024-7399: Samsung MagicINFO Path Traversal to SYSTEM-Level RCE

CVSS 9.8 (CRITICAL) | Samsung MagicINFO 9 Server < 21.1050 | Unauthenticated Path Traversal → SYSTEM Authority File Write → RCE

Executive Summary

CVE-2024-7399 is a critical path traversal vulnerability in Samsung MagicINFO 9 Server that allows unauthenticated attackers to write arbitrary files with SYSTEM authority. By exploiting the SWUpdateFileUploader servlet, attackers can upload malicious JSP webshells to the application directory, achieving remote code execution with the highest Windows privileges.

Key Facts:

• Authentication required: None (unauthenticated exploitation)
• Privilege escalation: Direct to NT AUTHORITY\SYSTEM
• Attack vector: Network (default ports 7001 HTTP, 7002 HTTPS)
• CISA KEV status: Added April 24, 2026
• Metasploit module: Available (rapid7/metasploit-framework#20188)

Vulnerability Mechanics

Samsung MagicINFO 9 Server is enterprise digital signage management software deployed in corporate environments, retail displays, transportation hubs, and public spaces. The vulnerability chain:

1. Unauthenticated Access to SWUpdateFileUploader

The /SWUpdateFileUploader servlet is accessible without authentication

2. Path Traversal in File Upload

Crafted filename with ../ sequences bypasses directory restrictions

3. Arbitrary File Write as SYSTEM

MagicINFO runs as NT AUTHORITY\SYSTEM by default, so uploaded files are written with SYSTEM authority

4. JSP Webshell Execution

Attacker uploads JSP file to webroot, accesses it via HTTP, executes arbitrary commands with SYSTEM privileges

Root Cause: Improper limitation of pathname to restricted directory (CWE-22) combined with inadequate authentication on file upload endpoint[^1].

Attack Surface

Affected Versions

• Samsung MagicINFO 9 Server < 21.1050
• Default installation on Windows Server
• Runs as NT AUTHORITY\SYSTEM (highest Windows privilege)
• Listens on all interfaces: 0.0.0.0:7001 (HTTP), 0.0.0.0:7002 (HTTPS)

Attack Vector

POST /SWUpdateFileUploader HTTP/1.1
Host: target.com:7001
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="../../webapps/ROOT/shell.jsp"
Content-Type: application/octet-stream

<JSP webshell payload>
------WebKitFormBoundary--

Post-Exploitation

Once webshell is uploaded (e.g., to /webapps/ROOT/shell.jsp), attacker accesses:

http://target.com:7001/shell.jsp?cmd=whoami

Response: nt authority\system

Real-World Impact

Deployment Context

MagicINFO is deployed in:

• Corporate office digital signage (lobby displays, meeting room booking)
• Retail environments (promotional displays, menu boards)
• Transportation hubs (flight information, train schedules)
• Healthcare facilities (patient information displays)
• Educational institutions (campus announcements)

Exploitation Implications

Data Breach: Access to internal signage content, schedules, corporate communications

Lateral Movement: SYSTEM-level access enables network pivoting, credential harvesting

Operational Disruption: Control over public-facing displays, potential for misinformation campaigns

Persistence: SYSTEM authority allows installation of rootkits, backdoors, scheduled tasks

Detection & Response

Network Indicators

POST requests to /SWUpdateFileUploader
Multipart form data with suspicious filenames containing ../
HTTP 200 responses from SWUpdateFileUploader endpoint
Subsequent GET requests to .jsp files in webroot

File System Indicators

Unexpected .jsp files in MagicINFO webroot:
C:\Program Files\Samsung\MagicInfo Premium Server\webapps\ROOT\*.jsp

File creation timestamps that don't match legitimate deployments
Files owned by SYSTEM with suspicious content (eval, Runtime.exec, ProcessBuilder)

Process Indicators

MagicINFO java.exe spawning child processes:
- cmd.exe
- powershell.exe
- net.exe (user enumeration, lateral movement)
- reg.exe (registry manipulation)

Sigma Rule

title: Samsung MagicINFO Path Traversal Exploitation
detection:
  selection_upload:
    cs-uri-path: '/SWUpdateFileUploader'
    cs-method: 'POST'
    cs-uri-query|contains:
      - '../'
      - '..%2f'
      - '..%5c'
  condition: selection_upload
level: critical

Full detection package including YARA rules and IOCs available in Lyrie's CVE-2024-7399 exploit lab.

Remediation

Immediate Actions

1. Upgrade to MagicINFO 9 Server version 21.1050 or later[^2]

2. Network isolation: Restrict MagicINFO ports (7001, 7002) to internal management networks only

3. Hunt for webshells: Scan webapps/ROOT/ for unexpected JSP files

4. Review logs: Check IIS/Tomcat access logs for /SWUpdateFileUploader POST requests

5. Incident response: If exploitation suspected, assume full system compromise, perform forensics, rebuild from clean backups

Hardening Recommendations

• Never expose MagicINFO to public internet (this is enterprise management software, not a public-facing service)
• Implement WAF rules blocking path traversal sequences in filenames
• Enable authentication on all management endpoints
• Principle of least privilege: Run MagicINFO with dedicated service account, not SYSTEM (requires architecture redesign)
• Network segmentation: Isolate digital signage management networks from corporate production

Shodan/Censys Detection

product:"Samsung MagicINFO"
http.title:"MagicINFO"
port:7001,7002

Lyrie Verdict

Threat Level: HIGH

CVE-2024-7399 exemplifies the security gaps in enterprise IoT and digital signage infrastructure:

✅ Unauthenticated exploitation — no credentials required

✅ Direct SYSTEM access — highest Windows privilege

✅ Trivial exploitation — Metasploit module available

✅ Broad deployment — corporate, retail, transportation, healthcare

✅ Poor security posture — often internet-exposed, rarely patched

The Digital Signage Blind Spot:

Organizations invest heavily in securing workstations, servers, and cloud infrastructure, yet digital signage management platforms operate as security afterthoughts. MagicINFO servers run with SYSTEM privileges, are frequently internet-accessible (for "convenience"), and receive minimal security monitoring.

This vulnerability demonstrates the risk when operational technology (OT) and IT converge without security-by-design principles. A compromised digital signage platform becomes a beachhead for:

• Network reconnaissance (SYSTEM can read cached credentials, access network shares)
• Lateral movement (pivot to AD, file servers, databases)
• Persistence (install backdoors that survive signage software updates)
• Misinformation campaigns (hijack public-facing displays)

Recommended Posture:

• Treat digital signage infrastructure with same security rigor as critical IT systems
• Assume any internet-exposed MagicINFO instance < 21.1050 is compromised
• Implement zero-trust network architecture for OT/IoT management platforms
• Automate vulnerability scanning and patching for non-traditional IT assets

Organizations relying on "security through obscurity" (e.g., "nobody targets digital signage") are vulnerable to opportunistic scanning and automated exploitation.

---

References

[^1]: CVE Details: CVE-2024-7399 - Remote Code Execution in Samsung MagicINFO

[^2]: Samsung PSIRT Advisory: MagicINFO 9 Server Security Update

---

Related Research:

• Full Exploit Lab (Mock + PoC + Detection) — Lyrie Threat Intelligence
• CISA KEV Entry — CVE-2024-7399
• Metasploit Module — rapid7/metasploit-framework

Word Count: 1,047

Citations: 2

Last Updated: April 26, 2026