Date of Disclosure (source): December 16, 2024
Date Reported as Actively Exploited (source): January 5, 2025
**Update** (January 8, 2025): Several malicious IPs associated with CVE-2024-52875 have been observed in GreyNoise, indicating active exploitation attempts in the wild.
CVE-2024-52875 is a vulnerability affecting GFI KerioControl firewalls versions 9.2.5 through 9.4.5. As of now, no official advisory has been released by the National Vulnerability Database (NVD).
The vulnerability resides in several URI paths of the KerioControl web interface, specifically:
- /nonauth/addCertException.cs
- /nonauth/guestConfirm.cs
- /nonauth/expiration.cs
These pages improperly sanitize user input passed via the dest GET parameter, failing to remove line feed (LF) characters. This flaw allows attackers to perform HTTP response splitting attacks, leading to open redirects and reflected cross-site scripting (XSS).
A proof-of-concept (PoC) exploit has been developed, demonstrating that an attacker can craft a malicious URL. When an authenticated administrator clicks on this link, it triggers the upload of a malicious .img file via the firmware upgrade functionality, ultimately granting the attacker root access to the firewall system.
This exploit targets unauthenticated URI paths (/nonauth/*), which makes it accessible to external threat actors. By combining this with social engineering tactics, an administrator may be tricked into clicking a malicious URL.
| Field |
Details |
| CVE-ID |
CVE-2024-52875 (CVSS score not yet published) |
| Vulnerability Description |
User input passed to affected URIs via the “dest” GET parameter is not properly sanitized before being used to generate a “Location” HTTP header in a 302 HTTP response. Specifically, the application does not correctly filter/remove linefeed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, potentially enabling reflected XSS and other attacks. The Reflected XSS vector can be abused to perform 1-click RCE attacks by injecting malicious JavaScript into unauthenticated endpoints. If these endpoints are accessed by an administrator, their session may be leveraged to upload and execute a malicious firmware file. |
| Date of Disclosure |
December 16, 2024 |
| Affected Assets |
Affects the following GFI KerioControl URI Paths:
- /nonauth/addCertException.cs
- /nonauth/guestConfirm.cs
- /nonauth/expiration.cs
|
| Vulnerable Software Versions |
GFI KerioControl versions 9.2.5 through 9.4.5 |
| PoC Available? |
Karma(In)Security developed a PoC exploit available here. |
| Exploitation Status |
Several malicious IPs associated with CVE-2024-52875 have been observed in GreyNoise, indicating active exploitation attempts in the wild. |
| Patch Status |
GFI Software has addressed this issue in Kerio Control version 9.4.5 Patch 1. Users are strongly advised to update to this version or later to mitigate the risk. |
Censys Perspective
At the time of writing, Censys observed 23,862 exposed GFI KerioControl instances. A large proportion of these (17%) are geolocated in Iran. Note that not all instances observed are vulnerable as we do not have specific versions available.
Map of Exposed GFI KerioControl Instances
Censys Search Query:
services.software: (vendor="GFI" and product="Kerio Control") and not labels: {honeypot, tarpit}
Censys ASM Query:
host.services.software: (vendor="GFI" and product="Kerio Control") and not host.labels: {honeypot, tarpit}
References
