More than 12,000 KerioControl Devices at Risk Due to Critical Vulnerability
In today’s world, cybersecurity is becoming an increasingly urgent issue, and a highly dangerous vulnerability has recently been discovered in GFI KerioControl firewalls. The vulnerability, identified as CVE-2024-52875, affects versions 9.2.5–9.4.5 and allows attackers to remotely execute code (RCE – Remote Code Execution). Cybercriminals are actively exploiting this vulnerability, putting thousands of devices at risk worldwide.
Researchers have identified that the vulnerability exists in the following unauthenticated URI paths of the KerioControl web interface:
/nonauth/addCertException.cs/nonauth/guestConfirm.cs/nonauth/expiration.cs
These pages improperly filter data passed through the dest parameter in GET requests. As a result, attackers can inject line feed (LF) characters into HTTP responses, making HTTP response splitting attacks possible. This can lead to open redirects and reflected cross-site scripting (XSS).
A proof-of-concept (PoC) exploit demonstrated by researchers shows that attackers can craft a malicious link that, when clicked by an administrator, triggers the firewall’s firmware update mechanism, allowing the upload of a malicious .img file. This ultimately grants the attacker root privileges on the device.
Since the exploit works via unauthenticated URIs, cybercriminals can use social engineering techniques to lure administrators into falling for the trap.
As of February 9, 2025, The Shadowserver Foundation reported 12,229 unpatched and vulnerable KerioControl devices worldwide. A heatmap published by Shadowserver highlights the widespread impact of the vulnerability across North America, Europe, and Asia.
The organization has also detected active scanning attempts targeting this vulnerability through its honeypot sensors, indicating that attacks are already underway.
Unfortunately, the National Vulnerability Database (NVD) has not yet issued an official advisory or update regarding CVE-2024-52875. This could leave many organizations unaware of the threat until their systems are compromised.
If successfully exploited, this vulnerability could grant attackers full control over affected devices, enabling them to access corporate networks or use compromised firewalls as entry points for further attacks. This could lead to data breaches, ransomware incidents, or other forms of cybercrime.
At this time, GFI Software has not released an official patch or advisory addressing CVE-2024-52875. Therefore, organizations using affected versions of KerioControl should take the following measures:
- Restrict Access: Limit access to the web interface to trusted IP addresses only.
- Monitor Activity: Regularly review security logs and watch for suspicious activity.
- Apply Updates: Keep track of firmware updates from GFI Software and install them as soon as they become available.
- Educate Administrators: Train security personnel to recognize phishing attempts and malicious links.
Shadowserver urges organizations to verify whether their systems are vulnerable. It is recommended to use monitoring platforms and check for potential signs of compromise.
The CVE-2024-52875 vulnerability serves as another reminder of the importance of timely security updates. Since firewalls play a crucial role in protecting corporate networks, their exploitation can have serious consequences.
Currently, more than 12,000 vulnerable devices remain exposed on the internet, making them easy targets for attackers. Organizations must act swiftly to update their systems or implement alternative security measures.
With the growing complexity of the technological landscape, timely software updates and continuous enhancement of cybersecurity measures should be a top priority for any organization.
