Administrators of Samsung MagicInfo 9 Server have been urged to air gap their systems from the internet after researchers spotted exploit attempts impacting a recently updated version.
The Samsung product is described as a hub for managing the tech giant’s popular digital signage displays, which are found in many public locations like airports, as well as corporate offices.
However, there’s some confusion about whether the latest attacks are exploiting a bug first disclosed and patched last year (CVE-2024-7399), or a zero-day vulnerability found in January by a researcher working with SSD Disclosure.
The latter vulnerability, or collection of bugs, allow “an unauthenticated user to upload a web shell and achieve remote code execution under the Apache Tomcat process,” according to Huntress.
Read more on Samsung zero-days: Google Exposes 18 Zero-Day Flaws in Samsung Exynos Chips
The flaws are said to affect MagicInfo 9 Server 21.1050.0 – the latest version of the server. However, they are apparently very similar to CVE-2024-7399, which was published in August 2024. In fact, they are so similar that, when reported to Samsung, the vendor registered them as a duplicate issue and appeared to take no further action.
As a result, SSD Disclosure published a proof-of-concept exploit in line with its 90-day disclosure window, back on April 30.
Within days, Arctic Wolf spotted what it claimed to be exploits of CVE-2024-7399, saying that the affected systems were versions prior to 21.1050.
“This was quickly picked up by media outlets with the same narrative that systems running version 21.1050 were safe,” explained Huntress in a blog post.
“Huntress also observed exploitation in the wild; however, some of the systems impacted had the latest available patch, which strengthened the assumption that the latest available version (21.1050.0) was indeed still vulnerable, as mentioned by SSD Disclosure.”
The bottom line is that version 21.1050.0 and 21.1040.2 of MagicInfo 9 Server are still vulnerable, and no patches are available, according to Huntress.
“It can only be concluded that the patch from August 2024 was either incomplete or for a separate, but similar, vulnerability,” the security vendor concluded.
“Huntress has reached out to the team at Samsung, notifying them of this, but at the time of writing, is yet to receive a response.”
The advice for MagicInfo 9 Server administrators is therefore that they ensure any installations aren’t internet facing, until a proper patch has been released.
Image credit: JHVEPhoto / Shutterstock.com