A critical security vulnerability has been identified in Samsung’s MagicINFO digital signage management platform. Tracked as CVE-2024-7399, this flaw affects versions of MagicINFO 9 Server prior to 21.1050 and has a CVSS score of 9.8, indicating maximum severity. The vulnerability arises from a path traversal issue that allows attackers to upload arbitrary files and execute malicious code on the server without authentication. This issue particularly affects the /MagicInfo/servlet/SWUpdateFileUploader endpoint, which fails to properly validate user-supplied file paths.
Security researchers discovered that the endpoint fails to authenticate users and does not properly validate file names or extensions.
This allows attackers to upload malicious files, such as web shells, that can be executed with system-level privileges. The flaw stems from improper handling of file paths, as the application concatenates file names with directory paths without neutralizing special path elements. This results in an opportunity for attackers to exploit path traversal sequences and upload files to unauthorized locations on the server.
The vulnerability’s root cause lies in the way MagicINFO handles file paths in HTTP requests. Attackers can exploit the flaw to upload malicious code that runs with server privileges, potentially leading to a complete system compromise. Samsung has acknowledged the issue and released a patch in version 21.1050 to address the problem.
The update modifies the verification logic of input to prevent unauthorized file uploads and ensure proper validation of file paths.
Organizations using affected versions of Samsung MagicINFO 9 Server are strongly advised to update to version 21.1050 or later immediately. The flaw can be triggered remotely and requires no user interaction to exploit. Given the widespread use of Samsung MagicINFO for digital signage across various industries, this vulnerability poses a significant security risk to organizations relying on the platform for display management.
