59/68 Thursday, February 13, 2025
Security experts have issued a warning that more than 12,000 KerioControl firewalls from GFI Software have been compromised through the critical CVE-2024-52875 vulnerability. This flaw allows hackers to execute remote code (RCE). The vulnerability was discovered by researcher Egidio Romano (EgiX) in mid-December 2024 and was first patched in version 9.4.5 on December 19, 2024. However, data from Censys indicates that over 23,800 devices remain unpatched, leaving them at risk of exploitation.
Reports from Greynoise and the Shadowserver Foundation confirm ongoing attacks leveraging publicly available proof-of-concept (PoC) code. This exploit enables hackers to steal admin CSRF tokens and conduct further attacks. Experts emphasize the high risk of this vulnerability, as it has a low exploitation threshold, making it accessible even to low-skilled attackers. Techniques such as HTTP Response Splitting and Reflected XSS can be used to compromise systems with a single user click.
To mitigate these threats, GFI released an updated patch in version 9.4.5 Patch 2 on January 31, 2025, addressing additional vulnerabilities. KerioControl users are strongly advised to update their systems immediately to prevent potential attacks. Failure to apply updates could expose organizations to cybercriminal threats.
