12,000 Kerio Control firewalls remain vulnerable to RCE

📟 News

Date: 14/02/2025

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed back in December 2024.

Kerio Control is a comprehensive network security solution used for VPN, bandwidth management, reporting, monitoring, traffic filtering, antivirus protection, and intrusion prevention.

The CVE-2024-52875 vulnerability was discovered in mid-December 2024 by independent researcher Egidio Romano who explained that this bug opens the way for severe one-click RCE attacks.

“User input passed to these pages via the “dest” GET parameter is not properly sanitized before being used to generate a “Location” HTTP header in a 302 HTTP response. Specifically, the application does not correctly filter/remove linefeed (LF) characters. As such, this can be exploited to perform both Open Redirect and HTTP Response Splitting attacks, which in turn might allow to carry out Reflected Cross-Site Scripting (XSS) and possibly other attacks,” – Egidio Romano.

Shortly after that, GFI Software released updates fixing the problem (version 9.4.5 Patch 1). But three weeks later, Censys experts warned that more than 23,800 Kerio Control instances remain vulnerable.

At the beginning of January 2025, Greynoise analysts recorded attempts to steal devices’ CSRF tokens using the PoC exploit created by Egidio Romano.

According to The Shadowserver Foundation, the situation has worsened in the past month: 12,229 Kerio Control firewalls are still vulnerable to CVE-2024-52875 attacks. Most of them are located in Iran, USA, Italy, Germany, Russia, Kazakhstan, Uzbekistan, France, Brazil, and India.

Security experts remind that a PoC exploit is available for the CVE-2024-52875 vulnerability, and its exploitation is fairly simple. In other words, even novice hackers can deliver CVE-2024-52875 attacks.

GFI Software strongly advises customers to install Kerio Control version 9.4.5 Patch 2 released on January 31, 2025 that contains additional security fixes.

Related posts:
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'

A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer

Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…

Full article →