Monday, May 5, 2025
HomeCVE/vulnerability1-Click RCE Attack In Kerio Control UTM Allow Attackers Gain Firewall Root...

1-Click RCE Attack In Kerio Control UTM Allow Attackers Gain Firewall Root Access Remotely

Published on

SIEM as a Service

Follow Us on Google News

GFI Software’s Kerio Control, a popular UTM solution, was found to be vulnerable to multiple HTTP Response Splitting vulnerabilities, which affecting versions 9.2.5 through 9.4.5, could potentially allow attackers to inject malicious code into web pages, leading to cross-site scripting (XSS) attacks and other security compromises. 

The vulnerabilities, tracked as CVE-2024-52875 and KIS-2024-07, highlight the importance of keeping software up-to-date and applying security patches promptly.

multiple HTTP Response Splitting vulnerabilities in Kerio Control
multiple HTTP Response Splitting vulnerabilities in Kerio Control

The vulnerable Kerio Control pages `/nonauth/addCertException.cs`, `/nonauth/guestConfirm.cs`, and `/nonauth/expiration.cs` fail to properly sanitize user-supplied `dest` GET parameters before constructing `Location` HTTP headers, which allows attackers to inject malicious URLs containing newline characters, leading to HTTP Response Splitting attacks. 

- Advertisement - Google News

By exploiting this vulnerability in conjunction with a known nine-year-old exploit, attackers can potentially execute arbitrary code on the affected system, bypassing user interaction and escalating the risk to a high severity level.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The root cause of the CRLF Injection vulnerability lies in the improper handling of the “dest” GET parameter.

When a malicious user submits a crafted request with a specially formatted “dest” value containing CRLF sequences, the server fails to sanitize or properly encode the input. 

It allows the attacker to inject malicious HTTP headers into the response, potentially leading to session hijacking, cross-site scripting (XSS), or other security breaches.

Karmain Security identified the presence of the string “µë-” in the server response, suggesting Base64 encoded URLs might be expected and tested this by encoding a random URL (“[http://attacker.website](http://attacker.website)”) in Base64 and used it as the value for the “dest” parameter in the GET request. 

The server responded with a 302 Found status code and a Location header containing the decoded URL, confirming the suspicion, which indicates a vulnerability where the server expects Base64 encoded URLs for redirection.

A researcher successfully exploited a vulnerability in Kerio Control.

By injecting CRLF sequences into the payload, they were able to bypass input validation and manipulate HTTP responses, which allowed for the injection of arbitrary HTTP headers, potentially leading to HTTP Response Splitting attacks. 

Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)

The vulnerability stems from the lack of proper filtering or removal of CRLF sequences, enabling attackers to craft malicious responses and potentially compromise the security of the affected system.

An HTTP Response Splitting vulnerability in Kerio Control that allows for Reflected XSS attacks.

By crafting a special payload and leveraging browser behavior, the researcher was able to inject arbitrary data into the HTTP response body, which bypasses limitations set by the /admin/ path for cookies by using an iframe to steal the CSRF token and perform actions on the victim’s behalf. 

A 9-year-old remote code execution (RCE) exploit through the upgrade functionality was identified and combined with the XSS attack for a complete compromise of the Kerio Control instance. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...