KerioControl firewall flaw actively exploited by hackers
Take action: If you are using KerioControl firewall, make sure the admin interface is accessible only from internal trusted networks - NEVER from the internet. Then patch the system ASAP.
Learn More
KerioControl, a network security solution aimed at small and medium-sized businesses, is being actively exploitated.
The exploited flaw is tracked as CVE-2024-52875 (CVSS score not assigned) and stems from improper sanitization of line feed (LF) characters in the 'dest' parameter, enabling attackers to manipulate HTTP headers and responses. Through this manipulation, malicious JavaScript can be injected into responses and executed in the victim's browser, leading to the theft of cookies or CSRF tokens. Using a stolen admin CSRF token, attackers can upload malicious .IMG files containing root-level shell scripts through the Kerio upgrade functionality, ultimately gaining reverse shell access.
This flaw, affects versions 9.2.5 through 9.4.5.
Greynoise has detected exploitation attempts from four distinct IP addresses, with the activity classified as "malicious" rather than research-based probing. Censys reports 23,862 internet-exposed GFI KerioControl instances, though the number of vulnerable systems remains unclear.
The flaw is patched in version 9.4.5 Patch 1 (Released December 19, 2024)
Users are advised to apply version 9.4.5 Patch 1 immediately. If patching isn't possible, users should limit access to web management interface to trusted IPs, disable public access to '/admin' and '/noauth' pages and monitor 'dest' parameter exploitation attempts
Update - as of 10th of February 2024, almost two months after releasing thre patch and one month after a very public warning of active exploitation, The Shadowserver Foundation reports over 12,00 KerioControl firewalls exposed to attacks via CVE-2024-52875.
