Full Report
Threat actors are attempting to take advantage of a recently disclosed security flaw impacting GFI KerioControl firewalls that, if successfully exploited, could allow malicious actors to achieve remote code execution (RCE). The vulnerability in question, CVE-2024-52875, refers to a carriage return line feed (CRLF) injection attack, paving the way for HTTP response splitting, which could then
Analysis Summary
# Vulnerability: Critical RCE in GFI KerioControl via CRLF Injection
## CVE Details
- CVE ID: CVE-2024-52875
- CVSS Score: N/A (Severity implied as Critical by RCE nature)
- CWE: CRLF Injection (leading to HTTP Response Splitting and potential XSS/RCE)
## Affected Systems
- Products: GFI KerioControl Firewalls
- Versions: 9.2.5 through 9.4.5 (prior to patch)
- Configurations: Affected paths leverage user input in the `dest` GET parameter for HTTP response header generation.
## Vulnerability Description
The vulnerability is a Critical Remote Code Execution (RCE) flaw rooted in a Carriage Return Line Feed (CRLF) Injection vulnerability. This flaw allows an attacker to inject carriage return (\\r) and line feed (\\n) characters into HTTP response headers. Specifically, this occurs when user input provided via the `dest` GET parameter to the following URI paths is not sanitized before being used in a 'Location' HTTP header (302 response):
* `/nonauth/addCertException.cs`
* `/nonauth/guestConfirm.cs`
* `/nonauth/expiration.cs`
Successful exploitation via HTTP Response Splitting could lead to Cross-Site Scripting (XSS) and, critically, an attacker-crafted URL can trick an administrator into uploading a malicious `.img` file via the firmware upgrade functionality, granting root access to the firewall.
## Exploitation
- Status: PoC available (and threat actors are attempting to take advantage of the flaw)
- Complexity: Low (Implied by "1-click RCE flaw" which relies on tricking an administrator via a crafted URL/click)
- Attack Vector: Network (Requires crafting a malicious URL)
## Impact
- Confidentiality: High (Root access allows access to all data)
- Integrity: High (Root access allows complete modification of the device)
- Availability: High (Root access or subsequent attacks could disrupt service)
## Remediation
### Patches
- GFI released a fix on December 19, 2024.
- Patched Version: **9.4.5 Patch 1**
### Workarounds
- No specific alternative workarounds were detailed in the source material aside from immediate patching. (The core mitigation strategy is applying the vendor patch.)
## Detection
- Indicators of Compromise (IoC): Look for unusual network traffic related to the firmware upgrade functionality or unexpected file uploads via the administrative interface following access to the vulnerable endpoints.
- Detection methods and tools: Network monitoring tools looking for input containing `\r\n` sequences targeted at the specified URI paths. Security solutions capable of detecting HTTP Response Splitting or unauthorized firmware upload attempts.
## References
- Vendor Advisory: gfi.ai/products-and-solutions/network-security-solutions/keriocontrol/resources/documentation/product-releases
- Researcher Report: karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875
- Original News Source: thehackernews.com/2025/01/critical-rce-flaw-in-gfi-keriocontrol.html