CVE-2024-52875
published 2025-01-31CVE-2024-52875: An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and…
PriorityP179high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
29.12%
97.9th percentile
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gfi | kerio_control | 9.2.5 – 9.4.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/nonauth/addCertException.cs?dest=VGVzdA0KQ1JMRjo%3d
url/nonauth/guestConfirm.cs?dest=VGVzdA0KQ1JMRjo%3d
url/nonauth/expiration.cs?dest=VGVzdA0KQ1JMRjo%3d
url/nonauth/guestConfirm.cs?dest=Cgo8c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3NjcmlwdD4%3d
port4081
snort
alert http $EXTERNAL_NET any -> $HOME_NET 4081 (msg:"ET WEB_SPECIFIC_APPS Kerio Control CRLF Injection via dest Parameter (CVE-2024-52875)"; flow:established,to_server; http.uri; content:"/nonauth/"; startswith; fast_pattern; content:".cs?"; distance:0; content:"dest|3d|"; distance:0; pcre:"/^[\S]*?(?:(?:Cg|DQ)|[NK][CD]|[o0][NK])/R"; reference:url,karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875; reference:cve,2024-52875; classtype:web-application-activity; sid:2059029; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_08, cve CVE_2024_52875, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $HOME_NET 4081 -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Kerio Control HTTP Response Splitting (CVE-2024-52875)"; flow:established,to_client; http.stat_code; content:"302"; http.header_names; to_lowercase; content:"location|0d 0a 0d 0a|"; http.response_body; content:"Server|3a 20|Kerio Control"; fast_pattern; reference:url,karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875; reference:cve,2024-52875; classtype:web-application-activity; sid:2059030; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_08, cve CVE_2024_52875, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:src_ip;)
bytes
location|0d 0a 0d 0a|
- →Detect HTTP 302 responses from KerioControl (port 4081) where the Location header contains a double CRLF sequence (\r\n\r\n / 0d 0a 0d 0a), indicating successful HTTP response splitting.
- →Alert on inbound HTTP requests to port 4081 where the URI starts with /nonauth/, contains .cs?, and the dest parameter value matches base64-encoded CRLF patterns (Cg, DQ, NKCD, oNK, etc.) per the ET PCRE: /^[\S]*?(?:(?:Cg|DQ)|[NK][CD]|[o0][NK])/R
- →Monitor for admin CSRF token theft attempts followed by upload of .IMG files via the KerioControl upgrade functionality, which is the RCE escalation path. ↗
- →Use Shodan/FOFA queries to identify exposed KerioControl instances: shodan-query 'Kerio Control', fofa-query 'Kerio Control'.
- →Nuclei template detection: match HTTP response header for regex (?m)^Crlf:\s*$ OR body containing alert(document.domain) with content-type text/html, Location header present, and status code 302.
- ·The Snort/ET rules (sid:2059029, sid:2059030) require TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective, as KerioControl traffic on port 4081 may be TLS-encrypted.
- ·Active exploitation was confirmed from four distinct IP addresses by Greynoise; activity is attributed to threat actors (marked 'malicious'), not researchers. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wwwq-jmfm-4f5c: An issue was discovered in GFI Kerio Control 9
ghsa_unreviewed·2025-01-31
CVE-2024-52875 [HIGH] CWE-113 GHSA-wwwq-jmfm-4f5c: An issue was discovered in GFI Kerio Control 9
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.
VulnCheck
GFI KerioControl HTTP Response Splitting Vulnerability
vulncheck·2024·CVSS 8.8
CVE-2024-52875 [HIGH] GFI KerioControl HTTP Response Splitting Vulnerability
GFI KerioControl HTTP Response Splitting Vulnerability
Several vulnerabilities are present in GFI KerioControl due to improper sanitization of the 'dest' GET parameter used to generate a 'Location' HTTP header. The affected endpoints include /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs. Exploitation could allow for HTTP response splitting and may additionally lead to a reflected cross-site scripting (XSS).
Affected: GFI Software KerioControl
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://censys.com/cve-2024-52875/; https://viz.greynoise.io/tags/kerio-control-cve-2024-52875-crlf-injection-attempt; https://dash
Suricata
ET WEB_SPECIFIC_APPS Kerio Control CRLF Injection via dest Parameter (CVE-2024-52875)
suricata·2025-01-08·CVSS 8.8
CVE-2024-52875 [HIGH] ET WEB_SPECIFIC_APPS Kerio Control CRLF Injection via dest Parameter (CVE-2024-52875)
ET WEB_SPECIFIC_APPS Kerio Control CRLF Injection via dest Parameter (CVE-2024-52875)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET 4081 (msg:"ET WEB_SPECIFIC_APPS Kerio Control CRLF Injection via dest Parameter (CVE-2024-52875)"; flow:established,to_server; http.uri; content:"/nonauth/"; startswith; fast_pattern; content:".cs?"; distance:0; content:"dest|3d|"; distance:0; pcre:"/^[\S]*?(?:(?:Cg|DQ)|[NK][CD]|[o0][NK])/R"; reference:url,karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875; reference:cve,2024-52875; classtype:web-application-activity; sid:2059029; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_08, cve CVE_2024_52875, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Expl
Suricata
ET WEB_SPECIFIC_APPS Kerio Control HTTP Response Splitting (CVE-2024-52875)
suricata·2025-01-08·CVSS 8.8
CVE-2024-52875 [HIGH] ET WEB_SPECIFIC_APPS Kerio Control HTTP Response Splitting (CVE-2024-52875)
ET WEB_SPECIFIC_APPS Kerio Control HTTP Response Splitting (CVE-2024-52875)
Rule: alert http $HOME_NET 4081 -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Kerio Control HTTP Response Splitting (CVE-2024-52875)"; flow:established,to_client; http.stat_code; content:"302"; http.header_names; to_lowercase; content:"location|0d 0a 0d 0a|"; http.response_body; content:"Server|3a 20|Kerio Control"; fast_pattern; reference:url,karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875; reference:cve,2024-52875; classtype:web-application-activity; sid:2059030; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_08, cve CVE_2024_52875, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 20
Nuclei
Kerio Control v9.2.5 - CRLF Injection
nuclei·CVSS 8.8
CVE-2024-52875 [HIGH] Kerio Control v9.2.5 - CRLF Injection
Kerio Control v9.2.5 - CRLF Injection
Kerio Control, formerly known as Kerio WinRoute Firewall, has been found vulnerable to multiple HTTP Response Splitting vulnerabilities in product affecting versions 9.2.5
Template:
id: CVE-2024-52875
info:
name: Kerio Control v9.2.5 - CRLF Injection
author: ritikchaddha,iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Kerio Control, formerly known as Kerio WinRoute Firewall, has been found vulnerable to multiple HTTP Response Splitting vulnerabilities in product affecting versions 9.2.5
impact: |
Attackers can perform HTTP response splitting attacks to inject arbitrary HTTP headers and content, potentially leading to XSS, cache poisoning, or session hijacking.
remediation: |
Update Kerio Control to a version later than 9.2.5 that addr
Bleepingcomputer
Over 12,000 KerioControl firewalls exposed to exploited RCE flaw
blogs_bleepingcomputer·2025-02-10·CVSS 8.8
CVE-2024-52875 [HIGH] Over 12,000 KerioControl firewalls exposed to exploited RCE flaw
## Over 12,000 KerioControl firewalls exposed to exploited RCE flaw
## Bill Toulas
Over twelve thousand GFI KerioControl firewall instances are exposed to a critical remote code execution vulnerability tracked as CVE-2024-52875.
KerioControl is a network security suite that small and medium-sized businesses use for VPNs, bandwidth management, reporting and monitoring, traffic filtering, AV protection, and intrusion prevention.
The flaw in question was discovered in mid-December by security researcher Egidio Romano (EgiX), who demonstrated the potential for dangerous 1-click RCE attacks.
GFI Software released a security update for the problem with version 9.4.5 Patch 1 on December 19, 2024, yet three weeks later, according to Censys , over 23,800 instances remained vulnerable.
Early l
Bleepingcomputer
Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens
blogs_bleepingcomputer·2025-01-08·CVSS 8.8
CVE-2024-52875 [HIGH] Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens
## Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens
## Bill Toulas
Hackers are trying to exploit CVE-2024-52875, a critical CRLF injection vulnerability that leads to 1-click remote code execution (RCE) attacks in GFI KerioControl firewall product.
KerioControl is a network security solution designed for small and medium-sized businesses that combines firewall, VPN, bandwidth management, reporting and monitoring, traffic filtering, AV protection, and intrusion prevention.
On December 16, 2024, security researcher Egidio Romano (EgiX) published a detailed writeup on CVE-2024-52875, demonstrating how a seemingly low-severity HTTP response splitting problem could escalate to 1-click RCE.
The vulnerability, which impacts KerioControl versions 9.2.5 through 9.4.5, is d
2025-01-31
Published
Exploited in the wild