Cybersecurity researchers at Huntress have issued a warning after confirming active exploitation of a critical remote code execution (RCE) vulnerability in Samsung’s MagicINFO 9 digital signage software.
The flaw, tracked as CVE-2024-34515, allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending a malicious HTTP request. Tens of thousands of MagicINFO instances, many with default configurations, are exposed to the Internet, which means the attack surface is significant.
In their latest blog post, Huntress provides a technical deep dive into how attackers are abusing the flaw, complete with packet captures, payload analysis, and post-exploitation behaviour. Their research follows the public disclosure of the vulnerability last week, and critically, confirms that attackers are now leveraging it in real-world campaigns.
“We’ve already observed activity in the wild, including one IP attempting to execute commands via the vulnerability. This is no longer a theoretical risk,” the Huntress team warned.
Attack Analysis
The flaw stems from how MagicINFO handles deserialisation of Java objects in HTTP requests. Huntress found that attackers use URL-encoded Java payloads to deliver malicious commands, including a base64-encoded reverse shell. Once a foothold is established, attackers appear to be running enumeration scripts and laying the groundwork for further compromise. One observed payload included a shell command that downloaded and executed a remote script from an attacker-controlled domain, with the intent of opening persistent backdoor access.
Detection and Mitigation
Huntress offers actionable defence strategies, including:
-
Searching server logs for suspicious POST requests to the vulnerable
/magicInfo/j_spring_security_checkendpoint -
Inspecting for commands involving tools like
curl,wget, orbash -
Looking for unusual outbound connections that may indicate data exfiltration or reverse shells
The blog includes detection techniques and Indicators of Compromise (IOCs) to help defenders assess exposure and respond effectively.
Samsung has since issued a patch and is urging customers to update immediately. However, as Huntress points out, many organisations running MagicINFO may not have traditional IT or patching workflows in place, especially in environments like retail, hospitality, or education, where digital signage systems are often overlooked from a security perspective.
“Organisations should treat this as a priority. Even if MagicINFO isn’t a core business app, it can become an attacker’s beachhead if left exposed,” Huntress warned.
Read the full Huntress analysis here: https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw
