Cybersecurity researchers caution that over 12,000 instances of GFI KerioControl firewalls remain unpatched and vulnerable to a critical security flaw (CVE-2024-52875) that could be exploited for remote code execution (RCE) with minimal effort.
The Shadowserver Foundation has been tracking this vulnerability and issuing daily reports since February 5, 2025.
CVE-2024-52875 is a severe security flaw in KerioControl firewall devices, a popular choice for securing small and medium-sized business networks.
The vulnerability reportedly allows attackers to execute arbitrary code on vulnerable devices, potentially gaining complete control over them.
The simplicity of the attack, described as “1-click RCE,” makes it particularly appealing to cybercriminals.
Exploitation could lead to devastating consequences, including data breaches, ransomware deployment, or using compromised devices in larger cyberattacks.
Despite the release of patches from GFI, Shadowserver reports a concerning number of unpatched KerioControl devices worldwide.
As of February 9, 2025, 12,229 instances remain vulnerable and exposed to this critical flaw.
A global heatmap published by Shadowserver highlights the widespread nature of the issue, showing unpatched devices across multiple countries.
The majority of these devices are likely still in active use, leaving organizations open to serious risks.
Security experts are urging administrators and organizations using KerioControl firewalls to prioritize patching immediately.
Given the ease of exploitation, any delay could result in severe consequences. The Shadowserver Foundation is actively sharing data with network owners to help facilitate immediate remediation efforts.
“Unpatched vulnerabilities like CVE-2024-52875 represent low-hanging fruit for threat actors. Closing these gaps is critical to maintaining security and resilience against cyber threats,” Shadowserver emphasized in a recent statement on X.
The ability of attackers to exploit this flaw with a simple click makes it a ticking time bomb for organizations lagging behind in patch management. The race is on to secure these exposed firewalls before attackers strike.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free
Southeast Asian Advanced Persistent Threat (APT) group OceanLotus, also known as APT32, has been identified…
AkiraBot, identified by SentinelLABS, represents a sophisticated spam bot framework that targets website chats and…
A new vulnerability has been discovered in the Microsoft.Identity.Web NuGet package under specific conditions, potentially…
The cybersecurity realm has encountered a formidable adversary with the emergence of CatB ransomware, also…
In a major victory against cybercrime, law enforcement agencies across North America and Europe have…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts regarding two actively exploited vulnerabilities…