A severe security vulnerability (CVE-2024-52875) is currently exposing over 12,000 GFI KerioControl firewall systems to potential remote code execution attacks. The flaw, discovered by security researcher Egidio Romano in December, affects KerioControl’s network security suite, which is widely used by small and medium-sized businesses for various security functions including VPN, traffic filtering, and intrusion prevention.

Despite GFI Software releasing a patch (version 9.4.5 Patch 1) in December 2024, Censys reported that 23,800 instances remained vulnerable three weeks after the update. Greynoise has confirmed active exploitation attempts using Romano’s proof-of-concept exploit, targeting admin CSRF tokens.

The Shadowserver Foundation’s latest report indicates that 12,229 KerioControl firewalls remain exposed, with significant concentrations in Iran, United States, Italy, Germany, Russia, Kazakhstan, Uzbekistan, France, Brazil, and India.

The vulnerability stems from improper sanitization of user input in the “dest” GET parameter, which can be exploited through HTTP Response Splitting attacks, potentially leading to Reflected Cross-Site Scripting (XSS) and remote code execution.

Organizations are strongly urged to update to KerioControl version 9.4.5 Patch 2, released January 31, 2025, which includes critical security enhancements to address this vulnerability.