CVE-2024-7399

Samsung MagicINFO 9 Server Path Traversal and Arbitrary File Upload

Initial Access Execution Persistence Last updated:

Detects exploitation of CVE-2024-7399, a path traversal and unrestricted file upload vulnerability in Samsung MagicINFO 9 Server. Successful exploitation allows unauthenticated or low-privileged attackers to upload arbitrary files outside the intended directory, potentially leading to remote code execution. This CVE is actively exploited in the wild (CISA KEV).

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Samsung
Product
MagicINFO 9 Server

Weakness (CWE)

CWE-22CWE-434

Timeline

Disclosed
April 24, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal and Arbitrary File Upload?

Samsung MagicINFO 9 Server Path Traversal and Arbitrary File Upload (CVE-2024-7399) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Samsung MagicINFO 9 Server Path Traversal and Arbitrary File Upload, covering the data sources and telemetry it touches: Azure Firewall Logs, CommonSecurityLog, DeviceNetworkEvents, W3CIISLog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence
Microsoft Sentinel / Defender
kusto 
let MagicINFOPorts = dynamic([80, 443, 8080, 7001, 8088]);
let SuspiciousExtensions = dynamic(['.jsp', '.aspx', '.php', '.war', '.jspx', '.ashx', '.sh', '.py', '.pl']);
let TraversalPatterns = dynamic(['../', '..\\', '%2e%2e%2f', '%2e%2e/', '..%2f', '%2e%2e%5c']);
union DeviceNetworkEvents, CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort has_any (MagicINFOPorts)
  or RequestURL has_any (TraversalPatterns)
  or RequestURL has_any (SuspiciousExtensions)
| where RequestURL contains 'MagicInfo' or DestinationHostName contains 'magicinfo'
  or RequestURL has_any (TraversalPatterns)
| extend CleanURL = tolower(RequestURL)
| where CleanURL has_any (TraversalPatterns) or CleanURL has_any (SuspiciousExtensions)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, RequestMethod, ResponseCode, DeviceAction
| summarize Attempts=count(), Methods=make_set(RequestMethod), URLs=make_set(RequestURL, 10) by SourceIP, DestinationIP, bin(TimeGenerated, 5m)
| where Attempts > 2
| extend AlertSeverity = 'High', CVE = 'CVE-2024-7399'

Detects HTTP requests to Samsung MagicINFO 9 Server endpoints containing path traversal sequences or suspicious file extensions indicative of CVE-2024-7399 exploitation attempts.

critical severity medium confidence

Data Sources

Azure Firewall Logs CommonSecurityLog DeviceNetworkEvents W3CIISLog

Required Tables

DeviceNetworkEvents CommonSecurityLog W3CIISLog

False Positives

  • Legitimate administrative file uploads to MagicINFO server using paths that contain dots
  • Security scanners or vulnerability assessment tools performing authorized scans of MagicINFO endpoints
  • URL-encoded characters in normal content delivery requests to MagicINFO server

Sigma rule & cross-platform mapping

The detection logic for Samsung MagicINFO 9 Server Path Traversal and Arbitrary File Upload (CVE-2024-7399) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2024-7399 Sigma rules on detection.fyi

Platform-specific guides for CVE-2024-7399

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2024-7399 Path Traversal Directory Enumeration

    Expected signal: Web access logs show GET requests with '../', '%2e%2e%2f', or '..%2f' in the URI path targeting MagicINFO endpoints. Network monitoring captures HTTP requests to port 8080 with traversal sequences.

  2. Test 2CVE-2024-7399 Web Shell Upload via Path Traversal

    Expected signal: IIS or servlet container logs show POST request to upload endpoint with path traversal in query parameter. Filesystem monitoring detects new .jsp file created in webroot. Process monitoring may show java.exe or tomcat process writing to unexpected directory.

  3. Test 3CVE-2024-7399 Web Shell Execution Verification

    Expected signal: Access logs show GET request to the uploaded shell path returning HTTP 200. EDR/process monitoring captures cmd.exe, sh, or powershell.exe spawned as a child of the Java/Tomcat process. Network connections from MagicINFO server process to external IPs if a reverse shell payload is used.

Unlock Pro Content

Get the full detection package for CVE-2024-7399 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1083File and Directory Discovery

Same Tactic: Initial Access

Popular Detections