A dangerous security vulnerability in GFI KerioControl firewalls has security experts concerned as attackers actively try to exploit it. The flaw allows malicious actors to remotely execute code and potentially take control of affected systems.
The vulnerability, tracked as CVE-2024-52875, affects KerioControl versions 9.2.5 through 9.4.5. It stems from a carriage return line feed (CRLF) injection weakness that enables attackers to manipulate HTTP response headers by inserting special characters.
Security researcher Egidio Romano identified the flaw in November 2024. He found that certain pages in KerioControl's web interface fail to properly filter user input, making them susceptible to HTTP response splitting attacks. This can lead to cross-site scripting and other malicious activities.
GFI released a patch on December 19, 2024 with version 9.4.5 Patch 1. However, a proof-of-concept exploit has since become public, demonstrating how attackers could craft malicious URLs to gain root access through the firewall's firmware upgrade feature.
Threat intelligence indicates that exploitation attempts began on December 28, 2024, originating from seven IP addresses in Singapore and Hong Kong. Over 23,800 KerioControl instances are currently exposed to the internet, with large concentrations in Iran, Uzbekistan, Italy, Germany, United States and other countries.
While the full scope of attacks exploiting this vulnerability remains unclear, security experts strongly advise KerioControl users to immediately apply the available patch to protect their systems.
Organizations using affected versions should:
- Update to version 9.4.5 Patch 1 immediately
- Monitor systems for suspicious activity
- Restrict access to the web management interface
- Block vulnerable URI paths