cbcvebase.
CVE-2024-52875
published 2025-01-31

CVE-2024-52875: An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and…

PriorityP179high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
29.12%
97.9th percentile
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.

Affected

1 ranges
VendorProductVersion rangeFixed in
gfikerio_control9.2.5 – 9.4.5

Detection & IOCsextracted from sources · hover to see the quote

url/nonauth/addCertException.cs?dest=VGVzdA0KQ1JMRjo%3d
url/nonauth/guestConfirm.cs?dest=VGVzdA0KQ1JMRjo%3d
url/nonauth/expiration.cs?dest=VGVzdA0KQ1JMRjo%3d
url/nonauth/guestConfirm.cs?dest=Cgo8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3NjcmlwdD4%3d
path/nonauth/addCertException.cs
path/nonauth/guestConfirm.cs
path/nonauth/expiration.cs
port4081
snort
alert http $EXTERNAL_NET any -> $HOME_NET 4081 (msg:"ET WEB_SPECIFIC_APPS Kerio Control CRLF Injection via dest Parameter (CVE-2024-52875)"; flow:established,to_server; http.uri; content:"/nonauth/"; startswith; fast_pattern; content:".cs?"; distance:0; content:"dest|3d|"; distance:0; pcre:"/^[\S]*?(?:(?:Cg|DQ)|[NK][CD]|[o0][NK])/R"; reference:url,karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875; reference:cve,2024-52875; classtype:web-application-activity; sid:2059029; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_08, cve CVE_2024_52875, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $HOME_NET 4081 -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Kerio Control HTTP Response Splitting (CVE-2024-52875)"; flow:established,to_client; http.stat_code; content:"302"; http.header_names; to_lowercase; content:"location|0d 0a 0d 0a|"; http.response_body; content:"Server|3a 20|Kerio Control"; fast_pattern; reference:url,karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875; reference:cve,2024-52875; classtype:web-application-activity; sid:2059030; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_08, cve CVE_2024_52875, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:src_ip;)
bytes
location|0d 0a 0d 0a|
  • Detect HTTP 302 responses from KerioControl (port 4081) where the Location header contains a double CRLF sequence (\r\n\r\n / 0d 0a 0d 0a), indicating successful HTTP response splitting.
  • Alert on inbound HTTP requests to port 4081 where the URI starts with /nonauth/, contains .cs?, and the dest parameter value matches base64-encoded CRLF patterns (Cg, DQ, NKCD, oNK, etc.) per the ET PCRE: /^[\S]*?(?:(?:Cg|DQ)|[NK][CD]|[o0][NK])/R
  • Monitor for admin CSRF token theft attempts followed by upload of .IMG files via the KerioControl upgrade functionality, which is the RCE escalation path.
  • Use Shodan/FOFA queries to identify exposed KerioControl instances: shodan-query 'Kerio Control', fofa-query 'Kerio Control'.
  • Nuclei template detection: match HTTP response header for regex (?m)^Crlf:\s*$ OR body containing alert(document.domain) with content-type text/html, Location header present, and status code 302.
  • ·The Snort/ET rules (sid:2059029, sid:2059030) require TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective, as KerioControl traffic on port 4081 may be TLS-encrypted.
  • ·Active exploitation was confirmed from four distinct IP addresses by Greynoise; activity is attributed to threat actors (marked 'malicious'), not researchers.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.