Cyber Resilience

CVE-2024-52875

HighPublic PoC

Published: 31 January 2025

Published
31 January 2025
Modified
16 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7857 99.1th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52875 is a high-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Gfi Kerio Control. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-52875 affects GFI Kerio Control versions 9.2.5 through 9.4.5. The vulnerability stems from improper sanitization of the dest GET parameter supplied to the /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs endpoints. This parameter is directly incorporated into a Location header within a 302 response, enabling Open Redirect and HTTP Response Splitting attacks that escalate to reflected cross-site scripting; the same flaw can be chained with the product's admin upgrade mechanism to achieve remote command execution.

An unauthenticated remote attacker can supply a crafted dest value to trigger the redirect or header injection. Successful exploitation yields reflected XSS in the context of a victim's browser, which can be leveraged to access the authenticated admin interface and invoke the upgrade feature for arbitrary command execution on the appliance. The issue carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low complexity, no required privileges, and required user interaction.

Public disclosure occurred via a Full Disclosure mailing-list post and a detailed technical write-up at karmainsecurity.com. The EPSS score currently stands at 0.7857 with a recorded peak of 0.8242, indicating sustained exploitation interest following publication. No official patch or mitigation guidance is referenced in the available advisories.

EU & UK References

Vulnerability details

An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302…

more

HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The HTTP Response Splitting (CRLF/LF injection) vulnerability in the unauthenticated web pages of GFI Kerio Control enables exploitation of a public-facing application (T1190) and remote services (T1210), facilitating reflected XSS, open redirects, and remote command execution via the admin upgrade feature.

CVEs Like This One

CVE-2026-2038Same vendor: Gfi
CVE-2026-2039Same vendor: Gfi
CVE-2026-34520Shared CWE-113
CVE-2026-2037Same vendor: Gfi
CVE-2025-55271Shared CWE-113
CVE-2026-2036Same vendor: Gfi
CVE-2026-39971Shared CWE-113
CVE-2026-41683Shared CWE-113
CVE-2025-59151Shared CWE-113
CVE-2026-40175Shared CWE-113

Affected Assets

gfi
kerio control
9.2.5 — 9.4.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of the 'dest' GET parameter to block malicious inputs like CRLF characters or invalid URLs used in the Location header, directly preventing open redirects, response splitting, and reflected XSS.

prevent

SI-15 requires filtering of outputs in HTTP responses, such as sanitizing the Location header content derived from the 'dest' parameter to eliminate injected payloads leading to XSS or splitting.

prevent

SI-9 enforces restrictions on input types, lengths, and characters for parameters like 'dest', limiting opportunities for CRLF injection or oversized payloads in unauthenticated pages.

References