Over 12,000 instances of the GFI KerioControl firewall are currently exposed to a critical vulnerability, CVE-2024-52875, which enables remote code execution (RCE). KerioControl is widely used by small and medium-sized businesses for network security tasks such as VPNs, traffic filtering, and intrusion prevention. The flaw was discovered by security researcher Egidio Romano in mid-December and was demonstrated to be easily exploitable, enabling attackers to carry out dangerous 1-click RCE attacks. GFI Software responded by releasing a security update in December 2024, but many vulnerable instances remained exposed weeks later.
According to a report by Censys, more than 23,800 instances of the firewall remained unpatched three weeks after the update was released. A subsequent analysis from Greynoise found that there were active exploitation attempts leveraging Romano’s proof-of-concept (PoC) exploit, which targeted the theft of admin CSRF tokens. This exploitation is not limited to skilled attackers, as the low requirements for executing the attack make it possible for even unskilled hackers to participate. The vulnerability allows attackers to manipulate the “dest” GET parameter on certain pages, leading to HTTP Response Splitting attacks and potential XSS attacks.
The vulnerability stems from improper sanitization of user input in the “dest” GET parameter, which can be exploited to manipulate HTTP headers. Specifically, the application fails to properly filter or remove linefeed characters, allowing attackers to inject malicious content into HTTP responses. This can lead to Reflected Cross-Site Scripting (XSS) attacks, which can then be abused to trigger remote code execution.
The vulnerability puts thousands of firewalls at risk, as it allows attackers to execute arbitrary code remotely, stealing credentials and potentially compromising entire systems.
As of the latest reports from The Shadowserver Foundation, 12,229 exposed firewalls remain vulnerable to exploitation. Most of these instances are located in countries including Iran, the United States, Italy, and Russia. GFI Software released an additional security patch, version 9.4.5 Patch 2, on January 31, 2025, which contains further security enhancements to address the issue. Users who have not yet updated their systems are strongly encouraged to install the latest patch to prevent potential attacks and protect their network security.
