A recently discovered vulnerability in GFI KerioControl firewalls, identified as CVE-2024-52875, has raised concerns among cybersecurity experts due to its potential to enable remote code execution (RCE). The flaw stems from a carriage return line feed (CRLF) injection, which can lead to HTTP response splitting. This, in turn, creates a cross-site scripting (XSS) vulnerability that could allow threat actors to inject malicious code into the firewall’s HTTP response headers. Security researcher Egidio Romano uncovered and reported the issue in November 2024, and it affects versions 9.2.5 through 9.4.5 of KerioControl.
The exploitation of the flaw is possible through the improper sanitization of user inputs in the URI paths “/nonauth/addCertException.cs,” “/nonauth/guestConfirm.cs,” and “/nonauth/expiration.cs.” Attackers can inject carriage return (\r) and line feed (\n) characters into the ‘dest’ GET parameter, which is used to generate the ‘Location’ HTTP header in a 302 HTTP response. This misstep in filtering can allow the attacker to carry out an HTTP response splitting attack, which may lead to a reflected XSS attack or even further exploitation.
A proof-of-concept (PoC) exploit for the vulnerability was made publicly available, illustrating how attackers could craft a malicious URL. When an administrator clicks on the URL, the PoC exploit would trigger, allowing the attacker to upload a malicious .img file via the firewall’s firmware upgrade feature. This process could ultimately grant the attacker root access to the firewall. After the PoC release, attacks exploiting the flaw were first observed on December 28, 2024, with sources of the attempts traced to IP addresses in Singapore and Hong Kong.
GFI issued a fix for the vulnerability on December 19, 2024, with the release of version 9.4.5 Patch 1. Despite the availability of the patch, cybersecurity firm GreyNoise has reported ongoing exploitation attempts targeting KerioControl firewalls, with over 23,800 internet-exposed instances of the firewall discovered by Censys. A significant portion of these exposed servers are located in countries including Iran, Uzbekistan, Italy, Germany, the U.S., and several others. Users of affected versions are urged to apply the patch and secure their systems to prevent potential exploitation.
