The patches for an exploited Samsung MagicINFO content material administration system (CMS) vulnerability seem ineffective as risk actors are exploiting it towards up to date methods, safety agency Huntress warns.
The problem, tracked as CVE-2024-7399 (CVSS rating of 8.8) and described because the improper sanitization of consumer enter, permits unauthenticated attackers to add JSP information and execute arbitrary code on the server with system privileges.
Fixes for the flaw have been introduced in August 2024, whereas its in-the-wild exploitation was flagged earlier this week, after proof-of-concept (PoC) exploit code was made public.
Cybersecurity agency Arctic Wolf, which warned of the bug’s exploitation, urged customers to replace to MagicINFO 9 Server model 21.1050 or newer to remain protected, however now Huntress says that the 21.1050 launch too is affected by the vulnerability.
“Huntress additionally noticed exploitation within the wild; nonetheless, a number of the methods impacted had the most recent obtainable patch, which strengthened the idea that the most recent obtainable model (21.1050.0) was certainly nonetheless weak,” the safety agency notes.
The publicly obtainable PoC, Huntress says, works towards variations 21.1050.0 and 21.1040.2 of MagicINFO 9 Server, that means that no repair is presently obtainable for the bug.
“It will possibly solely be concluded that the patch from August 2024 was both incomplete or for a separate, however related, vulnerability,” Huntress says.
The corporate’s report validates an SSD Disclosure advisory stating that the most recent MagicINFO 9 Server launch is impacted by a number of vulnerabilities that enable unauthenticated attackers to execute arbitrary server-side code.Commercial. Scroll to proceed studying.
“These vulnerabilities collectively enable an unauthenticated consumer to add an online shell and obtain distant code execution below the Apache Tomcat course of,” Huntress notes.
Based on SSD Disclosure, Samsung was notified of those safety defects on January 12, 2025, however marked the report as duplicate.
Shortly after the bug’s exploitation got here to gentle, SANS’s Johannes Ullrich warned {that a} Mirai-based botnet has been concentrating on weak MagicINFO CMS situations.
Huntress recommends that customers disconnect their MagicINFO 9 servers from the web till a correct patch is launched.
Associated: Second Wave of Assaults Hitting SAP NetWeaver After Zero-Day Compromise
Associated: Second OttoKit Vulnerability Exploited to Hack WordPress Websites
Associated: Android Replace Patches FreeType Vulnerability Exploited as Zero-Day
Associated: PoC Revealed for Exploited SonicWall Vulnerabilities
