Cybersecurity researchers caution that over 12,000 instances of GFI KerioControl firewalls remain unpatched and vulnerable to a critical security flaw (CVE-2024-52875) that could be exploited for remote code execution (RCE) with minimal effort.
The Shadowserver Foundation has been tracking this vulnerability and issuing daily reports since February 5, 2025.
Critical Vulnerability Overview
CVE-2024-52875 is a severe security flaw in KerioControl firewall devices, a popular choice for securing small and medium-sized business networks.
The vulnerability reportedly allows attackers to execute arbitrary code on vulnerable devices, potentially gaining complete control over them.
The simplicity of the attack, described as “1-click RCE,” makes it particularly appealing to cybercriminals.
Exploitation could lead to devastating consequences, including data breaches, ransomware deployment, or using compromised devices in larger cyberattacks.
Over 12,000 Devices Still Unpatched
Despite the release of patches from GFI, Shadowserver reports a concerning number of unpatched KerioControl devices worldwide.
As of February 9, 2025, 12,229 instances remain vulnerable and exposed to this critical flaw.
A global heatmap published by Shadowserver highlights the widespread nature of the issue, showing unpatched devices across multiple countries.
The majority of these devices are likely still in active use, leaving organizations open to serious risks.
Security experts are urging administrators and organizations using KerioControl firewalls to prioritize patching immediately.
Given the ease of exploitation, any delay could result in severe consequences. The Shadowserver Foundation is actively sharing data with network owners to help facilitate immediate remediation efforts.
“Unpatched vulnerabilities like CVE-2024-52875 represent low-hanging fruit for threat actors. Closing these gaps is critical to maintaining security and resilience against cyber threats,” Shadowserver emphasized in a recent statement on X.
The ability of attackers to exploit this flaw with a simple click makes it a ticking time bomb for organizations lagging behind in patch management. The race is on to secure these exposed firewalls before attackers strike.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free