Summary: Threat actors are exploiting a recently disclosed security flaw in GFI KerioControl firewalls, allowing for potential remote code execution (RCE) through a CRLF injection attack. The vulnerability, identified as CVE-2024-52875, affects multiple versions of the firewall and has led to active exploitation attempts.
Threat Actor: Unknown | unknown
Victim: GFI KerioControl | GFI KerioControl
Key Point :
- The vulnerability allows attackers to inject malicious inputs into HTTP response headers, leading to RCE.
- Exploitation attempts have been observed since December 28, 2024, from various IP addresses in Singapore and Hong Kong.
- A patch was released on December 19, 2024, but users are urged to secure their instances immediately.
- The flaw impacts KerioControl versions 9.2.5 through 9.4.5, with specific URI paths identified as vulnerable.
- Over 23,800 internet-exposed GFI KerioControl instances are at risk, primarily located in several countries including Iran, Germany, and the United States.
Source: https://thehackernews.com/2025/01/critical-rce-flaw-in-gfi-keriocontrol.html