CVE-2024-7399

Analyzed
Published: 09 Aug 2024, 04:43
Last modified:25 Apr 2026, 03:55

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
71% CRITICAL
71% probability +3.47%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

09 Aug 2024, 04:43
Published
Vulnerability first disclosed
24 Apr 2026, 00:00
Added to CISA KEV
Samsung MagicINFO 9 Server Path Traversal Vulnerability
25 Apr 2026, 03:55
Last Modified
Vulnerability information updated
08 May 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.

CVSS Metrics

  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 71.00% Percentile: 99%

Techniques & Countermeasures

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • CWE-434Unrestricted Upload of File with Dangerous Type

    The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Affected Systems

  • samsung electronicsmagicinfo 9 server

    < 21.1050

  • UnknownMagicINFO 9 Server

    < 21.1050 | < 21.1050.0

References (3)