Unpatched Samsung flaw puts its digital signage at risk of becoming botnet zombies

A remote code execution vulnerability in the Samsung MagicINFO 9 server has been left improperly patched, and it's already coming under attack by a variant of the Mirai botnet.

Once a server is compromised through this vulnerability, it essentially becomes a botnet zombie, and could potentially be used to launch Distributed Denial of Service (DDoS) attacks or further spread malware.

Samsung makes many digital signage solutions that are widely used, including at airports, hospitals, restaurants, corporate offices, retail stores, and more. Samsung MagicINFO server is a centralized content management system for these display solutions.

It's used to remotely manage and update the signage, it's primarily used in locations where a constant need exists to frequently update display content, such as airports. There's a server-side file upload feature that makes it possible to remotely update display content, but this vulnerability enables hackers to abuse the system through malicious code.

This vulnerability was identified as CVE-2024-7399. Attackers can exploit it to run arbitrary code on the server with system privileges. Samsung announced fixes for the flaw in August 2024 but security researchers have flagged this week that the vulnerability is being exploited by bad actors already, meaning that the flaw was not patched properly.

Huntress flags that the latest MagicINFO 9 server version is still vulnerable with no fix in sight. Samsung was reportedly notified of this vulnerability on January 12 this year but it doesn't appear to have pushed a fix yet, rather, it marked the report as duplicate.

Security researchers are now advising that users should disconnect their MagicINFO 9 servers from the internet till such time a proper fix is release, else they run the risk of their servers becoming part of a botnet.