A path traversal flaw in Samsung MagicINFO 9 Server lets network-reachable attackers write arbitrary files with system authority, and CISA added it to the KEV catalog on 2026-04-24 confirming active exploitation.
What Is It
CVE-2024-7399 is an improper limitation of a pathname to a restricted directory (CWE-22) in Samsung MagicINFO 9 Server. The KEV entry also tags it with CWE-434 (unrestricted file upload), reflecting that the traversal primitive lets attackers drop arbitrary files on disk. Successful exploitation results in arbitrary file write executed with system authority on the host running the server.
NVD scores the flaw 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) as the primary metric; Samsung's own PSIRT scores it 8.8 HIGH, differing only on whether low privileges are required. Either way the vector is network-reachable, low-complexity, and yields full confidentiality, integrity, and availability impact.
Why It Matters
MagicINFO is Samsung's digital-signage management platform, typically deployed to push content to fleets of displays in retail, transit, corporate, and public-venue environments. An attacker who can write arbitrary files as system authority on the management server has a direct path to full server takeover and to weaponising the signage fleet downstream.
CISA added CVE-2024-7399 to the Known Exploited Vulnerabilities catalog on 2026-04-24, confirming in-the-wild exploitation. Arctic Wolf has separately published observations of exploitation activity targeting this vulnerability. Known ransomware campaign use is listed as "Unknown" in KEV.
What's Vulnerable
- Samsung MagicINFO 9 Server, all versions prior to 21.1050 (CPE:
cpe:2.3:a:samsung:magicinfo_9_server:*:*:*:*:*:*:*:*,versionEndExcluding: 21.1050.0).
Patch Status
Samsung has published fixed builds at version 21.1050 and later via its security update portal. CISA's required action, with a due date of 2026-05-08 for federal civilian agencies under BOD 22-01, is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.