Over 12,000 KerioControl Firewalls Vulnerable to RCE Exploits

Thousands of GFI KerioControl firewall devices have remained vulnerable to a critical remote code execution (RCE) flaw, CVE-2024-52875, despite security patches being made available since December 2024. The flaw allows attackers to exploit improper input sanitization in the firewall’s web interface, enabling them to execute malicious code with administrator privileges.

Cybersecurity firms tracking the issue have warned that the vulnerability is actively being exploited, putting thousands of businesses at risk. KerioControl, a firewall solution widely used by small and medium-sized businesses, became the target of hackers after security researcher Egidio Romano discovered the flaw and released a proof-of-concept (PoC) exploit in December.

According to a report from Censys, over 23,800 KerioControl devices were exposed to the internet at the start of January, with 17% of those in Iran. A month later, The Shadowserver Foundation identified 12,229 devices that were still vulnerable, meaning that many companies have failed to apply necessary patches.

The vulnerability stems from improperly sanitized input in multiple unauthenticated URI paths of the KerioControl web interface, allowing attackers to perform HTTP response splitting attacks. This leads to open redirects and reflected cross-site scripting (XSS), which can be used to trick administrators into executing malicious commands.

The flaw's most dangerous aspect is its ability to enable one-click RCE, meaning that if an administrator clicks a specially crafted link, the attacker could gain full control of the firewall system. Romano explained that "the application does not correctly filter/remove linefeed (LF) characters," which makes it possible to manipulate HTTP responses and execute arbitrary code.

Security researchers at GreyNoise also detected active exploitation attempts, with some attackers leveraging the exploit to steal admin CSRF tokens. As reported by BleepingComputer, GFI Software released KerioControl version 9.4.5 Patch 1 on December 19, 2024, followed by Patch 2 on January 31, 2025, which provided additional security enhancements. However, the slow adoption of these updates has left thousands of systems exposed.

Security experts warn that the flaw’s ease of exploitation makes it particularly dangerous, as even low-skilled hackers can use public proof-of-concept exploits to carry out attacks. Companies using KerioControl are strongly advised to upgrade to the latest patched version immediately, implement strict access controls, and monitor for suspicious activity.