Thousands of GFI KerioControl firewalls still at risk of exploited critical RCE

BleepingComputer reports that one-click remote code execution attacks continue to threaten 12,229 GFI KerioControl firewalls impacted by the critical CVE-2024-52875 vulnerability nearly two months after patches were issued.

Iran accounted for most of the vulnerable KerioControl instances, followed by the U.S., Italy, Germany, and Russia, according to The Shadowserver Foundation. Such a security issue — which was discovered by security researcher Egidio Romano, also known as EgiX — could be easily leveraged by less sophisticated threat actors. "Specifically, the application does not correctly filter/remove linefeed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, which in turn might allow to carry out Reflected Cross-Site Scripting (XSS) and possibly other attacks. NOTE: The Reflected XSS vector might be abused to perform 1-click Remote Code Execution (RCE) attacks," said Romano. Organizations that have not remediated impacted KerioControl firewalls were urged to immediately apply the latest and more comprehensive security patch released late last month.