Hackers actively exploiting a critical vulnerability, CVE-2024-52875, found in the product GFI Keriocontrol Firewall designed for small and medium-sized businesses. This vulnerability, classified as CRLF Injection type, allows for remote code execution with a single click.
GFI Keriocontrol is a comprehensive network security solution that incorporates firewall, VPN, traffic management, antivirus protection, and intrusion prevention systems. The vulnerability impacts versions 9.2.5-9.4.5 and stems from the mishandling of line feed (LF) symbols in the “DEST” parameter, enabling manipulation of HTTP headers and responses.
On December 16, 2024, Security Researcher Egidio Romano (Egix) published a detailed description of CVE-2024-52875. Initially considered low-level, the vulnerability was shown to pose a significant threat by allowing code execution through vulnerable HTTP responses. Malicious JavaScript injected into responses can steal cookies and CSRF tokens.
By leveraging stolen administrator tokens, attackers can load malicious image files with Root scripts, facilitating the activation of a reverse shell using Kerio’s update functionality.
The threat monitoring platform Greynoise detected attempts to exploit CVE-2024-52875 from four different IP addresses on January 8. These actions are deemed malicious and indicative of attack activities rather than research endeavors.
According to Censys, there are 23,862 instances of Keriocontrol exposed to the internet, but the extent of vulnerability among them remains unknown.
GFI Software has released Patch 1 for version 9.4.5 to address the issue. Users are urged to promptly install the update. As interim measures, it is recommended to restrict access to the firewall’s web interface to trusted IP addresses only, block pages such as “/admin” and “/noauth”, and shorten session durations to bolster security.