Critical Vulnerability in GFI KerioControl Allows Remote Code Execution with a Single Click (CVE-2024-52875)

ISGroup Cybersecurity

CVE-2024-52875 is a critical vulnerability affecting GFI KerioControl firewall versions from 9.2.5 to 9.4.5. This flaw has been actively exploited in real-world environments, with several malicious IP addresses associated with the exploit observed by GreyNoise. As of January 7, 2025, Censys reported approximately 23,862 publicly exposed GFI KerioControl instances worldwide, with a significant concentration (17%) located in Iran.

ProductKerio-Connect
Date2025-01-10 10:11:51
Information
  • Fix Available
  • Active Exploitation

Technical Summary

The vulnerability resides in several unauthenticated URI paths of the KerioControl web interface, including /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs. These endpoints do not properly sanitize user input passed via the dest GET parameter, failing to remove line feed (LF) characters. This flaw allows attackers to perform HTTP response splitting attacks, leading to open redirects and reflected cross-site scripting (XSS). An attacker can craft a malicious URL that, when clicked by an authenticated administrator, triggers the upload of a malicious .img file via the firmware update feature, ultimately gaining root access to the firewall system.

Recommendations

GFI Software has addressed the issue in KerioControl version 9.4.5 Patch 1. Users are strongly advised to update to this version or later to mitigate the risk. Additionally, it is recommended to restrict access to the KerioControl management interface to trusted networks and administrators, implement strict input validation to prevent CRLF injection in HTTP headers, and educate users on the risks associated with clicking suspicious links.

[Callforaction-THREAT-Footer]