GFI KerioControl vulnerability (CVE-2024-52875) allows 1-click RCE via unauthenticated paths, actively exploited. Update to Patch 1 for protection

Continue reading
A critical vulnerability was disclosed in GFI KerioControl, a popular firewall solution used by businesses worldwide. The vulnerability, identified as CVE-2024-52875, affects GFI KerioControl versions 9.2.5 through 9.4.5. This flaw presents a serious security risk, potentially enabling remote code execution (RCE) through a single click by an attacker. The issue has since been actively exploited in the wild, as confirmed by reports of malicious activity associated with the CVE.
CVE-2024-52875 arises from a failure in properly sanitizing user input in certain URI paths of the KerioControl web interface. These URI paths include:
These endpoints, which are unauthenticated, improperly handle user input passed through the “dest” GET parameter, specifically failing to sanitize linefeed (LF) characters. This vulnerability can be exploited via an HTTP Response Splitting attack. This flaw could lead to reflected cross-site scripting (XSS), which in turn could allow attackers to execute a one-click RCE attack.
The vulnerability occurs when input is passed from the user to the web server, specifically in the "dest" parameter. Due to the improper sanitization, attackers can inject malicious linefeed characters into the response headers. This allows the attacker to split the HTTP response and inject arbitrary content, including malicious JavaScript code.
A crafted URL, if clicked by an authenticated administrator, can trigger the malicious behavior. The attack works by exploiting KerioControl's firmware upgrade functionality, which allows the attacker to upload a malicious `.img` file. This file, once uploaded, provides the attacker with root access to the affected firewall system.
Notably, this attack can be carried out using social engineering tactics. By tricking an administrator into clicking a link, an attacker can gain full control of the firewall system without needing to bypass authentication.
The flaw is especially concerning because it involves unauthenticated endpoints, meaning it can be exploited externally by threat actors. This makes the vulnerability easily accessible to malicious entities, who can leverage this attack vector to compromise the firewall system remotely.
Proof-of-concept (PoC) code has already been released by Karma(In)Security, demonstrating the exploitability of the vulnerability. The code shows how an attacker can use the XSS vector to deliver a malicious firmware update, effectively gaining control over the vulnerable system.
As of January 5, 2025, there are reports indicating that CVE-2024-52875 is actively being exploited in the wild, with several malicious IPs linked to the vulnerability observed in the GreyNoise threat intelligence platform.
The vulnerability has been addressed by GFI Software in KerioControl version 9.4.5 Patch 1, which contains fixes for the issue. Users of vulnerable versions are strongly encouraged to update to this patched version or later to mitigate the risk posed by CVE-2024-52875.
At the time of writing, Censys observed over 23,000 exposed instances of GFI KerioControl, with approximately 17% of these located in Iran. This highlights a significant potential attack surface, as a large number of devices may still be running vulnerable versions of the software. However, it is important to note that not all of these instances are necessarily vulnerable, as specific versions have not been disclosed in Censys' scan results.
Censys provided a specific search query that can be used to identify exposed GFI KerioControl instances:
services.software: (vendor="GFI" and product="Kerio Control") and not labels: {honeypot, tarpit}This query can help security teams identify exposed instances of GFI KerioControl that may need immediate attention.
The discovery of CVE-2024-52875 underscores the importance of timely patching and proper input sanitization in web-facing applications. The ability for attackers to remotely gain root access to firewall systems via social engineering and a single click emphasizes the need for stringent security measures, especially in high-risk environments like firewalls.
Organizations using GFI KerioControl should prioritize updating to the latest patched version (9.4.5 Patch 1) to prevent exploitation of this vulnerability. Additionally, security best practices, such as educating administrators on the risks of phishing and social engineering, are crucial in minimizing the risk of exploitation.
As always, proactive monitoring for unusual network activity and maintaining a robust security posture are essential to mitigating the risk posed by emerging vulnerabilities like CVE-2024-52875.
References:

A publicly accessible registration portal, a misconfigured Entra tenant, and no server-side authorization checks. That was enough to reach the systems controlling live World Cup streams