CVE-2024-7399 IBM QRadar · QRadar

Detect Samsung MagicINFO 9 Server Path Traversal and Arbitrary File Upload in IBM QRadar

Detects exploitation of CVE-2024-7399, a path traversal and unrestricted file upload vulnerability in Samsung MagicINFO 9 Server. Successful exploitation allows unauthenticated or low-privileged attackers to upload arbitrary files outside the intended directory, potentially leading to remote code execution. This CVE is actively exploited in the wild (CISA KEV).

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  destinationip,
  destinationport,
  URL,
  "HTTP Method",
  "HTTP Response Code",
  COUNT(*) AS attempt_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Microsoft IIS', 'Squid', 'Palo Alto Networks Firewall')
  AND (
    URL ILIKE '%../%'
    OR URL ILIKE '%..\\%'
    OR URL ILIKE '%%2e%2e%2f%'
    OR URL ILIKE '%%2e%2e/%'
    OR URL ILIKE '%..%2f%'
    OR URL ILIKE '%%2e%2e%5c%'
  )
  AND (
    URL ILIKE '%magicinfo%'
    OR destinationport IN (8080, 7001, 8088)
  )
  AND LOGSOURCENAME(logsourceid) NOT ILIKE '%authorized-scanner%'
  AND STARTTIME > NOW() - 3600000
GROUP BY sourceip, destinationip, destinationport, URL, "HTTP Method", "HTTP Response Code"
HAVING attempt_count > 1
ORDER BY attempt_count DESC
critical severity medium confidence

QRadar AQL query identifying path traversal exploitation attempts against Samsung MagicINFO 9 Server by analyzing URL patterns in web and proxy log sources.

Data Sources

QRadar web server DSMQRadar proxy DSMQRadar firewall DSM

Required Tables

events

False Positives & Tuning

  • Authorized vulnerability scanners with known source IPs hitting MagicINFO endpoints
  • Legitimate encoded URLs in MagicINFO CMS content delivery
  • Network monitoring tools that inspect deep packet content on MagicINFO traffic

Other platforms for CVE-2024-7399

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2024-7399 Path Traversal Directory Enumeration

    Expected signal: Web access logs show GET requests with '../', '%2e%2e%2f', or '..%2f' in the URI path targeting MagicINFO endpoints. Network monitoring captures HTTP requests to port 8080 with traversal sequences.

  2. Test 2CVE-2024-7399 Web Shell Upload via Path Traversal

    Expected signal: IIS or servlet container logs show POST request to upload endpoint with path traversal in query parameter. Filesystem monitoring detects new .jsp file created in webroot. Process monitoring may show java.exe or tomcat process writing to unexpected directory.

  3. Test 3CVE-2024-7399 Web Shell Execution Verification

    Expected signal: Access logs show GET request to the uploaded shell path returning HTTP 200. EDR/process monitoring captures cmd.exe, sh, or powershell.exe spawned as a child of the Java/Tomcat process. Network connections from MagicINFO server process to external IPs if a reverse shell payload is used.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2024-7399 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1083File and Directory Discovery

Same Tactic: Initial Access

Popular Detections