A critical vulnerability in GFI KerioControl firewalls (versions 9.2.5 through 9.4.5) is under active exploitation, allowing attackers to gain complete control of affected devices. The vulnerability, tracked as CVE-2024-52875, resides in the firewall’s web interface and can be exploited through a malicious URL.
The vulnerability stems from improper sanitization of user input in specific URI paths of the KerioControl web interface. This flaw enables attackers to perform HTTP response splitting attacks, leading to open redirects and reflected cross-site scripting (XSS).
As described in the vulnerability disclosure, user input passed to affected URIs via the “dest” GET parameter is not properly sanitized before being used to generate a “Location” HTTP header in a 302 HTTP response. Specifically, the application does not correctly filter/remove linefeed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, potentially enabling reflected XSS and other attacks. The Reflected XSS vector can be abused to perform 1-click RCE attacks by injecting malicious JavaScript into unauthenticated endpoints.
Attackers are leveraging this flaw to craft malicious URLs that, when clicked by an authenticated administrator, trigger the upload of a malicious firmware image. This ultimately grants the attacker root access to the firewall, compromising the entire system.
Karma(In)Security, the firm that identified CVE-2024-52875, has developed a proof-of-concept (PoC) exploit. In one scenario, an attacker could trick an authenticated administrator into clicking a malicious link, triggering the upload of a malicious .img firmware file. This grants the attacker root access to the firewall system, effectively compromising the network.
At the time of writing, Censys identified 23,862 publicly exposed GFI KerioControl instances, with 17% located in Iran. However, not all instances may be vulnerable, as specific software versions were not disclosed in scans.
While initial reports indicated no active exploitation at the time of disclosure (December 16, 2024), security researchers at GreyNoise observed exploit attempts as early as December 28th. These attacks appear to originate predominantly from Singapore and target systems in Lithuania.
GFI Software has addressed this vulnerability in Kerio Control version 9.4.5 Patch 1. All users of affected versions are strongly urged to update their firewalls immediately.
