Samsung MagicINFO Server Flaw Now Actively Exploited – Huntress Uncovers Real-World Attacks

Cybersecurity researchers at Huntress have issued a warning after confirming active exploitation of a critical remote code execution (RCE) vulnerability in Samsung’s MagicINFO 9 digital signage software.

The flaw, tracked as CVE-2024-34515, allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending a malicious HTTP request. Tens of thousands of MagicINFO instances, many with default configurations, are exposed to the Internet, which means the attack surface is significant.

In their latest blog post, Huntress provides a technical deep dive into how attackers are abusing the flaw, complete with packet captures, payload analysis, and post-exploitation behaviour. Their research follows the public disclosure of the vulnerability last week, and critically, confirms that attackers are now leveraging it in real-world campaigns.

“We’ve already observed activity in the wild, including one IP attempting to execute commands via the vulnerability. This is no longer a theoretical risk,” the Huntress team warned.

Attack Analysis

The flaw stems from how MagicINFO handles deserialisation of Java objects in HTTP requests. Huntress found that attackers use URL-encoded Java payloads to deliver malicious commands, including a base64-encoded reverse shell. Once a foothold is established, attackers appear to be running enumeration scripts and laying the groundwork for further compromise. One observed payload included a shell command that downloaded and executed a remote script from an attacker-controlled domain, with the intent of opening persistent backdoor access.

Detection and Mitigation

Huntress offers actionable defence strategies, including:

Searching server logs for suspicious POST requests to the vulnerable /magicInfo/j_spring_security_check endpoint
Inspecting for commands involving tools like curl, wget, or bash
Looking for unusual outbound connections that may indicate data exfiltration or reverse shells

The blog includes detection techniques and Indicators of Compromise (IOCs) to help defenders assess exposure and respond effectively.

Samsung has since issued a patch and is urging customers to update immediately. However, as Huntress points out, many organisations running MagicINFO may not have traditional IT or patching workflows in place, especially in environments like retail, hospitality, or education, where digital signage systems are often overlooked from a security perspective.

“Organisations should treat this as a priority. Even if MagicINFO isn’t a core business app, it can become an attacker’s beachhead if left exposed,” Huntress warned.

Read the full Huntress analysis here: https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw

The post Samsung MagicINFO Server Flaw Now Actively Exploited – Huntress Uncovers Real-World Attacks appeared first on IT Security Guru.

The original article found on IT Security Guru Read More

Attack Analysis

Detection and Mitigation

Related Posts

YouTube Warns of Phishing Emails Attacking Creators to Steal Login Credentials

Verizon DBIR Report: Small Businesses Identified as Key Targets in Ransomware Attacks

CISA Extends Support a Last Minute to CVE Program, Averting Global Cybersecurity Crisis