Source: karmainsecurity
Hackers are actively exploiting CVE-2024-52875, a vulnerability discovered in GFI KerioControl—a firewall solution designed for small and medium-sized businesses. This critical CRLF Injection flaw enables remote code execution through a single click.
GFI KerioControl serves as a comprehensive network security platform, combining firewall capabilities, VPN, traffic management, antivirus protection, and intrusion prevention systems. The vulnerability, affecting versions 9.2.5 through 9.4.5, stems from improper handling of newline characters (LF) in the “dest” parameter, allowing manipulation of HTTP headers and responses.
On December 16, 2024, security researcher Egidio Romano (EgiX) published a detailed analysis of CVE-2024-52875. He demonstrated how this seemingly low-severity issue could escalate to remote code execution via compromised HTTP responses. Malicious JavaScript injected into responses can steal cookies and CSRF tokens.
By leveraging stolen administrator tokens, attackers can upload malicious IMG files containing scripts with root privileges. This grants them the ability to establish reverse shells through Kerio’s update functionality.
On January 8, the threat monitoring platform Greynoise detected exploitation attempts for CVE-2024-52875 originating from four distinct IP addresses. These activities were deemed malicious and linked to attacks rather than research efforts.
According to Censys, 23,862 instances of KerioControl are accessible online, though the number of vulnerable deployments remains unknown.
GFI Software has released version 9.4.5 Patch 1 to address the issue. Users are strongly advised to apply the patch immediately. As interim measures, it is recommended to restrict access to the firewall’s web interface to trusted IP addresses, block the “/admin” and “/noauth” pages, and reduce session durations to enhance security.
