A critical security vulnerability, CVE-2024-52875, has been identified in GFI KerioControl firewalls, affecting versions 9.2.5 through 9.4.5.
This flaw, which can be exploited for remote code execution (RCE), has already drawn significant attention from cybercriminals, with thousands of unpatched systems worldwide now at risk.
The vulnerability resides in several unauthenticated URI paths of the KerioControl web interface, including /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs.
These pages fail to properly sanitize user input passed via the dest GET parameter, allowing attackers to inject line feed (LF) characters into HTTP responses. This improper input handling opens the door to HTTP response splitting attacks, which can lead to open redirects and reflected cross-site scripting (XSS).
A proof-of-concept (PoC) exploit demonstrates how attackers can leverage this flaw to execute malicious actions. Specifically, an attacker could craft a malicious URL that, when clicked by an authenticated administrator, triggers the upload of a malicious .img file via the firewall’s firmware upgrade functionality. This process ultimately grants the attacker root access to the system.
The exploit’s accessibility via unauthenticated URI paths makes it particularly dangerous, as external threat actors can combine it with social engineering tactics to trick administrators into clicking malicious links.
Global Impact and Exploitation
As of February 9, 2025, The Shadowserver Foundation reported that there are 12,229 unpatched KerioControl instances exposed globally. A heatmap shared by Shadowserver highlights widespread vulnerabilities across North America, Europe, and Asia.
The organization has also detected scanning activity targeting this specific vulnerability in its honeypot sensors, indicating active exploitation attempts by threat actors.
The lack of an official advisory from the National Vulnerability Database (NVD) further complicates mitigation efforts. Organizations relying on these firewalls may remain unaware of the risk until they experience a breach or receive alerts from third-party security monitors like Shadowserver.
Unpatched KerioControl firewalls are at risk of being compromised by attackers who could gain full control over the devices. Once exploited, these firewalls could serve as entry points for broader network intrusions or be used to launch further attacks against connected systems.
Given the critical nature of firewalls in securing organizational networks, successful exploitation could lead to data breaches, ransomware attacks, or other forms of cybercrime.
Mitigation and Recommendations
GFI Software has not yet issued a public patch or advisory addressing CVE-2024-52875. In light of this delay, organizations using affected versions of KerioControl firewalls should take immediate steps to mitigate the risk:
- Restrict Access: Limit access to the web interface by allowing only trusted IP addresses.
- Monitor for Indicators: Check for unusual activity or signs of compromise on firewall systems.
- Apply Updates: Regularly check for firmware updates from GFI and apply them as soon as they become available.
- Educate Administrators: Train administrators to recognize and avoid clicking on suspicious links that could exploit this vulnerability.
Shadowserver has urged organizations to act swiftly and verify whether their systems are vulnerable. They recommend monitoring their dashboards for alerts and applying any available patches.
The exploitation of CVE-2024-52875 highlights the critical importance of timely patch management and proactive security measures. With over 12,000 systems still unpatched globally and active scanning detected in the wild, this vulnerability poses a severe threat to organizations relying on GFI KerioControl firewalls.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free