January 8, 2025 By Bill Toulas
Hackers are trying to exploit CVE-2024-52875, a critical CRLF injection vulnerability that leads to 1-click remote code execution (RCE) attacks in GFI KerioControl firewall product.
KerioControl is a network security solution designed for small and medium-sized businesses that combines firewall, VPN, bandwidth management, reporting and monitoring, traffic filtering, AV protection, and intrusion prevention.
On December 16, 2024, security researcher Egidio Romano (EgiX) published a detailed writeup on CVE-2024-52875, demonstrating how a seemingly low-severity HTTP response splitting problem could escalate to 1-click RCE.
The vulnerability, which impacts KerioControl versions 9.2.5 through 9.4.5, is due to improper sanitization of line feed (LF) characters in the 'dest' parameter, allowing HTTP header and response manipulation via injected payloads.
Malicious JavaScript injected into responses is executed on the victim's browser, leading to the extraction of cookies or CSRF tokens.
