Critical KerioControl Flaw Lets Hackers Hijack Admin Accounts with One Click

Critical KerioControl Flaw Lets Hackers Hijack Admin Accounts with One Click

Critical Vulnerability in GFI KerioControl Firewall Under Active Exploitation

A severe security flaw (CVE-2024-52875) in GFI KerioControl firewall is currently being targeted by hackers, enabling one-click remote code execution attacks. The vulnerability affects versions 9.2.5 through 9.4.5 of the popular network security solution used by small and medium-sized businesses.

Security researcher Egidio Romano discovered that a CRLF injection vulnerability in the ‘dest’ parameter could be exploited to manipulate HTTP headers and responses. This allows attackers to inject malicious JavaScript code, which can steal authentication cookies and CSRF tokens from authenticated administrators.

Using stolen credentials, attackers can upload malicious .IMG files containing root-level shell scripts through the Kerio upgrade functionality, ultimately gaining unauthorized system access.

Current Threat Landscape:
– Greynoise detected exploitation attempts from four distinct IP addresses
– Censys identified 23,862 internet-exposed GFI KerioControl instances
– Active exploitation confirmed as malicious rather than research-based probing

Mitigation Steps:
1. Update to KerioControl version 9.4.5 Patch 1 (released December 19, 2024)
2. Restrict access to web management interface to trusted IPs
3. Disable public access to ‘/admin’ and ‘/noauth’ pages
4. Monitor ‘dest’ parameter exploitation attempts
5. Configure shorter session expiration times

Organizations using GFI KerioControl are strongly advised to implement these security measures immediately to protect against potential attacks.

Share This Article