Changeflow GovPing Data Privacy & Cybersecurity Samsung MagicINFO 9 Path Traversal Vulnerabilit...
Priority review Notice Added Final

Samsung MagicINFO 9 Path Traversal Vulnerability, CVSS 8.8

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published
Detected
Email

Summary

CISA added CVE-2024-7399, a path traversal vulnerability in Samsung MagicINFO 9 Server versions before 21.1050, to its Known Exploited Vulnerabilities catalog. The flaw carries a CVSS 3.1 score of 8.8 (HIGH) and allows authenticated attackers with network access to write arbitrary files as system authority, potentially enabling full system compromise. The vulnerability was reported by an anonymous researcher working with Trend Micro Zero Day Initiative and has been confirmed as actively exploited in the wild since at least May 2025. Organizations running Samsung MagicINFO 9 Server should verify their version and apply the version 21.1050 patch immediately.

“Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.”

CISA , verbatim from source
Why this matters

IT security and patch management teams should prioritize CVE-2024-7399 remediation for any Samsung MagicINFO 9 Server deployments. CISA's addition to the KEV catalog creates remediation expectations under BOD 22-01 for federal civilian agencies, and the automatable/total-impact SSVC classification signals elevated urgency for all operators. Asset inventory is the immediate prerequisite — without knowing which systems run MagicINFO 9, the patch cannot be applied.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by CISA on cve.org . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors CISA Known Exploited Vulnerabilities (KEV) for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 41 changes logged to date.

View original document View source feed page

What changed

CVE-2024-7399 was formally catalogued by CISA as a Known Exploited Vulnerability, triggering federal civilian executive branch agencies to remediate under BOD 22-01 binding requirements and signalling heightened risk to all affected Samsung MagicINFO 9 Server operators. The vulnerability involves improper path limitation (CWE-22) combined with unrestricted file upload (CWE-434), enabling privilege escalation to SYSTEM authority. CISA has classified the exploitation as active, automatable, and total-impact under SSVC v2.0.3.

Organizations running Samsung MagicINFO 9 Server should immediately inventory deployments, identify versions prior to 21.1050, and apply the vendor security update available at security.samsungtv.com. Organizations unable to patch promptly should consider network isolation and heightened monitoring for anomalous file-write activity, as the CVSS attack vector (network) and low privilege requirement (PR:L) mean the flaw is accessible to a broad range of threat actors.

Archived snapshot

Apr 25, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Required CVE Record Information

CNA: Samsung TV & Appliance

Updated:

2024-08-09

Description

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.

CWE 2 Total

Learn more
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.8 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |

Product Status

Learn more Versions 1 Total

Default Status: unaffected

affected

  • affected from 0 before 21.1050

Credits

  • Anonymous working with Trend Mirco Zero Day Initiative reporter

References 1 Total

Authorized Data Publishers

Learn more

CISA-ADP

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2025-05-07 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7399 (2026-04-24)

Mentioned entities

Cybersecurity and Infrastructure Security Agency

Parties

Samsung TV & Appliance Samsung MagicINFO 9

Related changes

Favicon for www.cisa.gov CVE-2024-57728: SimpleHelp v5.5.7 Zip Slip Vulnerability
Priority review Apr 25, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov D-Link DIR-823X Command Injection CVE-2025-29635
Priority review Apr 25, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cand.uscourts.gov Castaldi et al v. Google LLC, 4:26-cv-03566, Removed to Oakland
Routine Apr 25, 2026 NDCA Recently Filed Cases Courts & Legal

Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 24th, 2026
Instrument
Notice
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Government agencies Healthcare providers
Industry sector
5112 Software & Technology
Activity scope
Vulnerability remediation Patch management Server software security
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Consumer Protection

Browse Categories

Agriculture & Food Safety 84 AI Regulation 3 Banking & Finance 510 Consumer Protection 143 Courts & Legal 635 Data Privacy & Cybersecurity 153 Defense & National Security 52 Education 64 Energy 139 Environment 171 Gaming 2 Government & Legislation 527 Healthcare 15 Healthcare & Life Sciences 404 Immigration 11 Insurance 90 Labor & Employment 196 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 76 Securities & Markets 177 Tax 119 Telecom & Technology 58 Trade & Sanctions 169 Transportation 133

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!