
Kerio Control is a comprehensive network security solution used for VPN, bandwidth management, reporting, monitoring, traffic filtering, antivirus protection, and intrusion prevention.
The CVE-2024-52875 vulnerability was discovered in mid-December 2024 by independent researcher Egidio Romano who explained that this bug opens the way for severe one-click RCE attacks.
“User input passed to these pages via the “dest” GET parameter is not properly sanitized before being used to generate a “Location” HTTP header in a 302 HTTP response. Specifically, the application does not correctly filter/remove linefeed (LF) characters. As such, this can be exploited to perform both Open Redirect and HTTP Response Splitting attacks, which in turn might allow to carry out Reflected Cross-Site Scripting (XSS) and possibly other attacks,” – Egidio Romano.
Shortly after that, GFI Software released updates fixing the problem (version 9.4.5 Patch 1). But three weeks later, Censys experts warned that more than 23,800 Kerio Control instances remain vulnerable.
At the beginning of January 2025, Greynoise analysts recorded attempts to steal devices’ CSRF tokens using the PoC exploit created by Egidio Romano.
According to The Shadowserver Foundation, the situation has worsened in the past month: 12,229 Kerio Control firewalls are still vulnerable to CVE-2024-52875 attacks. Most of them are located in Iran, USA, Italy, Germany, Russia, Kazakhstan, Uzbekistan, France, Brazil, and India.

Security experts remind that a PoC exploit is available for the CVE-2024-52875 vulnerability, and its exploitation is fairly simple. In other words, even novice hackers can deliver CVE-2024-52875 attacks.
GFI Software strongly advises customers to install Kerio Control version 9.4.5 Patch 2 released on January 31, 2025 that contains additional security fixes.

2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →