Critical Vulnerability in GFI KerioControl Allows Remote Code Execution
2025-01-09
Learn about the critical importance of securing firewall products and the potential risks of unpatched vulnerabilities, and how proactive measures can protect your clients.
Hackers are actively exploiting a critical vulnerability in GFI KerioControl firewalls that allows remote code execution by manipulating HTTP headers through a CRLF injection flaw. This vulnerability affects versions 9.2.5 to 9.4.5 and can lead to the theft of admin CSRF tokens, enabling attackers to upload malicious files and gain unauthorized access. Recent scans have detected exploitation attempts, and with nearly 24,000 internet-exposed instances, it's advised to restrict access and monitor for suspicious activities if patching isn't feasible.
Patch Management, Web App/Website Vulnerability, Privilege Escalation
GFI KerioControl, CVE-2024-52875, Remote Code Execution, Firewall Vulnerability, CRLF Injection
GFI KerioControl
Hackers are actively exploiting a significant vulnerability in the GFI KerioControl firewall, a product commonly used by small and medium-sized businesses for network security. The vulnerability, identified as CVE-2024-52875, involves a CRLF injection flaw that can lead to remote code execution (RCE) with just one click. The issue arises from improper handling of line feed characters in the 'dest' parameter, which allows attackers to manipulate HTTP headers and responses. This manipulation can result in the execution of malicious JavaScript on a victim's browser, enabling the extraction of sensitive cookies or CSRF tokens. Once an attacker obtains a CSRF token from an authenticated admin, they can upload a harmful .IMG file containing a root-level shell script. This script exploits Kerio's upgrade functionality to open a reverse shell, granting the attacker unauthorized access. The vulnerability affects GFI KerioControl versions from 9.2.5 through 9.4.5. Businesses using these versions are at risk and should be aware of the potential for exploitation. Threat monitoring platforms like Greynoise have detected attempts to exploit this vulnerability from multiple IP addresses, classifying the activity as malicious. This indicates that threat actors are actively targeting systems, not just researchers testing the vulnerability. If immediate patching is not possible, it is recommended to limit access to KerioControl's web management interface to trusted IP addresses. Additionally, disabling public access to the '/admin' and '/noauth' pages via firewall rules can help mitigate the risk. Monitoring for suspicious activity targeting the 'dest' parameters and shortening session expiration times are also effective strategies to enhance security.Exploitation of GFI KerioControl Firewall Vulnerability
Understanding the Vulnerability
Affected Versions
Recent Exploitation Attempts
Mitigation Measures