Cybercriminals are exploiting CVE-2024-52875, a critical CRLF injection flaw in GFI KerioControl firewalls, to execute remote code and steal sensitive data. KerioControl, a network security solution for small and medium-sized businesses, was found vulnerable in versions 9.2.5 through 9.4.5 due to improper handling of line feed characters in the 'dest' parameter, enabling HTTP response manipulation.
The vulnerability, demonstrated by security researcher Egidio Romano, allows attackers to inject malicious JavaScript, extract cookies or admin CSRF tokens, and execute 1-click remote code. Using these tokens, attackers can upload a malicious root-level script via Kerio's upgrade functionality, gaining unauthorized access.
Active exploitation was reported by Greynoise from four IP addresses, and Censys identified over 23,000 internet-exposed KerioControl instances. GFI Software released a patch on December 19, 2024, to address the issue, urging users to update immediately. In cases where patching isn't possible, admins are advised to restrict web interface access, block public access to vulnerable pages, and monitor for exploitation attempts.
Read more...