CVE-2024-52875
Published: 31 January 2025
Summary
CVE-2024-52875 is a high-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Gfi Kerio Control. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-52875 affects GFI Kerio Control versions 9.2.5 through 9.4.5. The vulnerability stems from improper sanitization of the dest GET parameter supplied to the /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs endpoints. This parameter is directly incorporated into a Location header within a 302 response, enabling Open Redirect and HTTP Response Splitting attacks that escalate to reflected cross-site scripting; the same flaw can be chained with the product's admin upgrade mechanism to achieve remote command execution.
An unauthenticated remote attacker can supply a crafted dest value to trigger the redirect or header injection. Successful exploitation yields reflected XSS in the context of a victim's browser, which can be leveraged to access the authenticated admin interface and invoke the upgrade feature for arbitrary command execution on the appliance. The issue carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low complexity, no required privileges, and required user interaction.
Public disclosure occurred via a Full Disclosure mailing-list post and a detailed technical write-up at karmainsecurity.com. The EPSS score currently stands at 0.7857 with a recorded peak of 0.8242, indicating sustained exploitation interest following publication. No official patch or mitigation guidance is referenced in the available advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46263
Vulnerability details
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302…
more
HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The HTTP Response Splitting (CRLF/LF injection) vulnerability in the unauthenticated web pages of GFI Kerio Control enables exploitation of a public-facing application (T1190) and remote services (T1210), facilitating reflected XSS, open redirects, and remote command execution via the admin upgrade feature.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of the 'dest' GET parameter to block malicious inputs like CRLF characters or invalid URLs used in the Location header, directly preventing open redirects, response splitting, and reflected XSS.
SI-15 requires filtering of outputs in HTTP responses, such as sanitizing the Location header content derived from the 'dest' parameter to eliminate injected payloads leading to XSS or splitting.
SI-9 enforces restrictions on input types, lengths, and characters for parameters like 'dest', limiting opportunities for CRLF injection or oversized payloads in unauthenticated pages.