Friday , March 14 2025
12,000 Firewall

CVE-2024-52875
Over 12,000 Firewall Vulnerable to 1-Click RCE Exploit

Over 1,200 firewall instances are vulnerable to a critical remote code execution issue, known as CVE-2024-52875. The vulnerability is found in several unauthenticated web interface paths, including /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs.

These pages do not adequately sanitize user input from the dest GET parameter, allowing attackers to inject line feed (LF) characters into HTTP responses. This vulnerability can lead to HTTP response splitting attacks, resulting in open redirects and reflected cross-site scripting (XSS).

As of February 9, 2025, the Shadowserver Foundation reported 12,229 unpatched KerioControl instances worldwide. A heatmap from Shadowserver shows significant vulnerabilities in North America, Europe, and Asia.

The organization has identified scanning for this vulnerability in its honeypot sensors, showing that threat actors are attempting to exploit it.

The absence of an official warning from the National Vulnerability Database (NVD) makes it harder to address risks. Organizations using these firewalls may not recognize the threat until a breach occurs or they are alerted by third-party security monitors like Shadowserver.

Unpatched KerioControl firewalls are vulnerable to attacks that allow hackers to gain full control. Exploited firewalls can become entry points for larger network intrusions or for launching additional attacks on connected systems.

In mid-December, security researcher Egidio Romano (EgiX) found the flaw that could enable risky 1-click remote code execution (RCE) attacks.

Shadowserver advises organizations to quickly assess their system vulnerabilities, monitor dashboards for alerts, and apply available patches.

KerioControl is a network security suite that small and medium-sized businesses use for VPNs, bandwidth management, reporting and monitoring, traffic filtering, AV protection, and intrusion prevention.

Check Also

NVIDIA

NVIDIA has released update for NVIDIA Riva

NVIDIA has released a software update for Riva to fix security vulnerabilities that could allow …

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending Threat Actor: Lockbit, Lazarus, Blackcat, Cybercriminals, SaltTyphoon, Scttered Spider, RedGolf, BlueBravo, North Korean Hackers, ...
Trending Malware: SocGholish, Colabtstrike, Linuxkernel, Plugx, Lockbit, Xmrig, REMCOM RAT, Play Ransomware, LummaC2, HijackLoader, BugSleep
Trending vulnerability:CVE: 2024-21887, CVE: 2024-6387, CVE: 2024-46805, CVE: 2017-11882, CVE: 2021-44228, CVE:2024-40348, CVE: 2024-38112
Techniques: T1059.001, T1082, T1486, T1190, T1083
Tactics: TA0007, TA0001, TA0005, TA0011
16:09