Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens

Hackers are trying to exploit CVE-2024-52875, a critical CRLF injection vulnerability that leads to 1-click remote code execution (RCE) attacks in GFI KerioControl firewall product.

KerioControl is a network security solution designed for small and medium-sized businesses that combines firewall, VPN, bandwidth management, reporting and monitoring, traffic filtering, AV protection, and intrusion prevention.

On December 16, 2024, security researcher Egidio Romano (EgiX) published a detailed writeup on CVE-2024-52875, demonstrating how a seemingly low-severity HTTP response splitting problem could escalate to 1-click RCE.

The vulnerability, which impacts KerioControl versions 9.2.5 through 9.4.5, is due to improper sanitization of line feed (LF) characters in the ‘dest’ parameter, allowing HTTP header and response manipulation via injected payloads.

Malicious JavaScript injected into responses is executed on the victim’s browser, leading to the extraction of cookies or CSRF tokens.

An attacker could use the CSRF token of an authenticated admin user to upload a malicious .IMG file containing a root-level shell script, leveraging the Kerio upgrade functionality, which opens a reverse shell for the attacker.

Active exploitation

Yesterday, threat scanning platform Greynoise detected exploitation attempts targeting CVE-2024-52875 from four distinct IP addresses, possibly using the PoC exploit code presented by Romano.

Also yesterday, Censys reported 23,862 internet-exposed GFI KerioControl instances, although it is unclear how many of them are vulnerable to CVE-2024-52875 is unknown.

GFI Software on December 19, 2024, released version 9.4.5 Patch 1 for the KerioControl product, which addresses the vulnerability . Users are recommended to apply the fix as soon as possible.

If patching is not possible at the moment, admins should limit access to KerioControl’s web management interface to trusted IP addresses and disable public access to the ‘/admin’ and ‘/noauth’ pages via firewall rules.

Monitoring for exploitation attempts targeting the ‘dest’ parameters and configuring shorter session expiration times are also effective mitigations.

Quelle

Kommentar verfassen Kommentieren abbrechen

London, GB

12:47 am, März 27, 2025

7°C

L: 6° | H: 8°

Fühlt sich an wie 6°C° wenige Wolken

Luftfeuchtigkeit: 84 %

Druck: 1024 mb

Wind: 5 mph SSW

Windböe: 0 mph

UV-Index: 0

Niederschlag: 0 mm

Wolken: 19%

Regen Chance: 0%

Sichtbarkeit: 10 km

Sonnenaufgang: 5:46 am

Sonnenuntergang: 6:24 pm

TäglichStündlich

Tägliche VorhersageStündliche Vorhersage

Today 9:00 pm

6° | 8°°C 0 mm 0% 9 mph 90 % 1024 mb 0 mm/h

Tomorrow 9:00 pm

7° | 12°°C 1 mm 100% 13 mph 93 % 1015 mb 0 mm/h

Sa. März 29 9:00 pm

4° | 12°°C 0 mm 0% 9 mph 78 % 1023 mb 0 mm/h

So. März 30 9:00 pm

7° | 17°°C 0 mm 0% 10 mph 82 % 1024 mb 0 mm/h

Mo. März 31 9:00 pm

8° | 15°°C 0 mm 0% 8 mph 86 % 1028 mb 0 mm/h

Today 3:00 am

8° | 9°°C 0 mm 0% 4 mph 87 % 1024 mb 0 mm/h

Today 6:00 am

8° | 8°°C 0 mm 0% 4 mph 90 % 1023 mb 0 mm/h

Today 9:00 am

11° | 11°°C 0 mm 0% 6 mph 69 % 1023 mb 0 mm/h

Today 12:00 pm

16° | 16°°C 0 mm 0% 7 mph 51 % 1021 mb 0 mm/h

Today 3:00 pm

17° | 17°°C 0 mm 0% 9 mph 47 % 1018 mb 0 mm/h

Today 6:00 pm

15° | 15°°C 0 mm 0% 7 mph 60 % 1017 mb 0 mm/h

Today 9:00 pm

12° | 12°°C 0 mm 0% 6 mph 78 % 1017 mb 0 mm/h

Tomorrow 12:00 am

10° | 10°°C 0 mm 0% 7 mph 82 % 1015 mb 0 mm/h

Name	Preis	24H (%)
Bitcoin(BTC)	€81,141.96	-0.77%
Ethereum(ETH)	€1,876.50	-2.93%
Fesseln(USDT)	€0.93	-0.01%
XRP(XRP)	€2.21	-3.85%
Solana(SOL)	€128.30	-4.51%
USDC(USDC)	€0.93	0.00%
Dogecoin(DOGE)	€0.182540	1.16%
Shiba Inu(SHIB)	€0.000013	2.20%
Pepe(PEPE)	€0.000008	6.16%
Peanut das Eichhörnchen(PNUT)	€0.214428	7.85%

Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens

Teilen:

Active exploitation

Kommentar verfassen Kommentieren abbrechen

Verbindung zum Dienstprogramm

Nützlicher Link

Newsletter

Folgen Sie uns