CVE-2024-52875

Name of the Vulnerable Software and Affected Versions GFI Kerio Control versions 9.2.5 through 9.4.5

Description An issue was discovered in GFI Kerio Control where the dest GET parameter passed to the "/nonauth/addCertException.cs", "/nonauth/guestConfirm.cs", and "/nonauth/expiration.cs" pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface. Over 12,000 GFI KerioControl firewall instances are exposed to this critical remote code execution vulnerability. The estimated number of potentially affected devices worldwide is over 23,800. There have been real-world incidents where this issue was exploited, with hackers trying to steal admin CSRF tokens and launch 1-click RCE attacks.

Recommendations GFI Kerio Control versions 9.2.5 through 9.4.5: Update to v9.4.5 Patch 1 and audit your firewall access points immediately. As a temporary workaround, consider restricting access to the vulnerable API endpoints "/nonauth/addCertException.cs", "/nonauth/guestConfirm.cs", and "/nonauth/expiration.cs" to minimize the risk of exploitation. Limit interface access and block '/admin' and '/noauth' until the issue is resolved.