CVE-2024-7399: Samsung MagicINFO Flaw Hits Saudi Bank Branches

A path-traversal flaw in Samsung MagicINFO 9 Server — the digital signage CMS quietly humming inside thousands of bank branches, ATM lobbies, and corporate headquarters — is now under active exploitation. CISA added CVE-2024-7399 to its Known Exploited Vulnerabilities catalog on 24 April 2026, and Mirai botnet variants are already mass-scanning for vulnerable instances. For Saudi banks operating dense branch networks under SAMA supervision, this is not a marketing-tech problem. It is a SAMA CSCC branch perimeter problem.

What CVE-2024-7399 Actually Does

CVE-2024-7399 is an unauthenticated path-traversal vulnerability in Samsung MagicINFO 9 Server with a CVSS score of 8.8. The flaw lives in the file-upload functionality and allows a remote attacker to write arbitrary files outside the intended directory — including JSP files in web-accessible paths, which converts the bug into pre-authentication remote code execution. Arctic Wolf observed in-the-wild exploitation within days of the public proof-of-concept release, and federal civilian agencies in the United States have until 8 May 2026 to patch or decommission affected instances. Samsung's fix is MagicINFO 9 Server version 21.1050 or later.

Why Saudi Bank Branches Are Squarely in Scope

MagicINFO is the dominant management platform for Samsung commercial displays, and Samsung commercial displays dominate Saudi retail banking branches. Walk into almost any tier-one or tier-two bank in Riyadh, Jeddah, or Dammam and you will see Samsung screens running queue tickets, FX rates, product promotions, and Mada campaign content — all centrally orchestrated from a MagicINFO server typically deployed inside the bank's marketing or facilities VLAN. That server is rarely patched on the same cadence as Tier-0 banking systems, often runs on aging Windows Server instances, and is too often reachable from corporate user segments. An attacker who lands code execution on MagicINFO has obtained a foothold deep inside the corporate network — past the perimeter, past the WAF, and adjacent to teller infrastructure.

The Mirai Angle Changes the Threat Model

This is not a targeted nation-state exploit chain. The intelligence indicates Mirai botnet operators are spraying CVE-2024-7399 against any reachable MagicINFO instance to recruit it into DDoS and proxy networks. Mirai's behaviour is loud, opportunistic, and indifferent to the value of the host — but a compromised MagicINFO inside a bank does not stay a Mirai node. It becomes a beachhead that is then sold or handed off to ransomware affiliates such as DragonForce or Qilin, both of which have a documented appetite for Middle Eastern financial targets in 2026.

Impact on SAMA-Regulated Financial Institutions

The SAMA Cyber Security Framework (CSCC) and the NCA Essential Cybersecurity Controls (ECC-2:2024) both require that any system within the bank's logical perimeter be inventoried, vulnerability-managed, and segmented from production environments. A vulnerable MagicINFO server breaks at least four CSCC control families: Asset Management (3.3.1), Vulnerability Management (3.3.14), Network Security (3.3.7), and Third-Party Cyber Security (3.4). Under SDAIA's PDPL enforcement regime — now actively issuing decisions — any breach that exfiltrates branch CCTV feeds, customer-facing campaign data, or staff identifiers triggers a 72-hour notification clock to SDAIA and SAMA. The reputational cost of disclosing that the entry point was an advertising screen is, frankly, unrecoverable.

Recommended Actions for Saudi Banks

1. Conduct an immediate inventory of every Samsung MagicINFO 9 Server instance across all branches, headquarters, and disaster recovery sites. Include shadow installations operated by marketing or facilities teams without IT oversight.
2. Patch all instances to MagicINFO 9 Server version 21.1050 or later within 72 hours. Where patching is operationally blocked, isolate the server in a dedicated VLAN with no inbound access from corporate or production segments.
3. Hunt for indicators of compromise: unexpected JSP files under the MagicINFO web root, new outbound connections to known Mirai C2 infrastructure, and anomalous CPU spikes consistent with cryptomining or DDoS payloads.
4. Map the MagicINFO ecosystem as a Tier-2 third-party dependency under your SAMA TPRM programme. Require vendors to demonstrate patch cadence and CVE responsiveness in the next contract review cycle.
5. Update your branch architecture diagram to explicitly enumerate all OT-adjacent assets — signage, queue management, BLE beacons, smart locks — and apply CSCC 3.3.7 segmentation controls. Branch screens are not a marketing concern. They are an attack surface.
6. Brief the CISO and the Board Cyber Risk Committee. The narrative — "a Mirai-grade botnet compromised our branch displays" — is one no Saudi bank wants to deliver after the fact.

Conclusion

CVE-2024-7399 is a textbook example of how non-banking IT assets become the soft underbelly of a regulated financial institution. The CISA deadline is 8 May 2026 for U.S. federal agencies; Saudi banks should treat it as an internal deadline as well. Mirai is already scanning. DragonForce is already buying access. The clock is running.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted branch-network exposure review.