Open Redirect and XSS Vulnerability in GFI Kerio Control
CVE-2024-52875

8.8HIGH

Key Information:

Vendor

Gfi

Status
Kerio Control
Vendor
CVE Published:
31 January 2025

Badges

📈 Score: 588👾 Exploit Exists🟣 EPSS 60%📰 News Worthy

What is CVE-2024-52875?

CVE-2024-52875 is a vulnerability identified in GFI Kerio Control, a widely used network security solution designed to manage and protect corporate networks. This vulnerability arises from improper sanitization of the 'dest' GET parameter in certain endpoints, leaving the system open to Open Redirect and Cross-Site Scripting (XSS) attacks. Organizations using GFI Kerio Control may face significant security risks due to this flaw, including unauthorized access to sensitive information, manipulation of web content, and the potential for further exploitation through remote command execution.

Technical Details

The vulnerability exists in versions of GFI Kerio Control ranging from 9.2.5 to 9.4.5. Specifically, it pertains to the handling of the 'dest' parameter in the following pages: /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs. When this parameter is passed to the system, it is not properly validated, which can lead to Open Redirect vulnerabilities. Attackers can exploit this oversight for HTTP Response Splitting attacks, ultimately allowing for Reflected XSS. Furthermore, by leveraging the upgrade feature in the administrative interface, attackers could potentially achieve remote command execution.

Potential Impact of CVE-2024-52875

  1. Unauthorized Access to Sensitive Data: Attackers could manipulate the application to redirect users to malicious sites or perform actions that compromise confidential information, leading to data breaches.

  2. Web-Based Exploitation: The ability to execute XSS allows malicious scripts to run in the context of the user’s browser, which could be used to steal session tokens, hijack accounts, or perform actions on behalf of the user.

  3. Remote Command Execution: The existing functionality of the administrative interface can be exploited to execute arbitrary commands remotely, posing a significant risk to organizational security and potentially leading to a full compromise of the affected systems.

Affected Version(s)

Kerio Control 9.2.5 <= 9.4.5

News Articles

favicon imageBleepingComputer

Over 12,000 KerioControl firewalls exposed to exploited RCE flaw

Over twelve thousand GFI KerioControl firewall instances are exposed to a critical remote code execution vulnerability tracked as CVE-2024-52875.

favicon imageCyberWire

Ivanti patches actively exploited zero-day.

Attackers target one-click vulnerability affecting GFI KerioControl firewalls. Palo Alto Networks patches vulnerabilities affecting its Expedition migration tool.

favicon imageThe Hacker News

Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection

CVE-2024-52875, a critical RCE flaw in GFI KerioControl firewalls, allows HTTP response splitting and exploits over 23,800 internet-exposed instances

References

https://karmainsecurity.com/hacking-kerio-control-via-cve...

EPSS Score

60% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • 📰

    First article discovered by Cyber Security News

  • Vulnerability Reserved

.