CVE-2024-52875 in Kerio Control
Summary
by MITRE • 01/31/2025
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/16/2025
The vulnerability identified as CVE-2024-52875 affects GFI Kerio Control versions 9.2.5 through 9.4.5, representing a critical security flaw that enables attackers to manipulate HTTP redirect behavior through improper input validation. This issue manifests in three specific endpoints: /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs where the dest GET parameter is processed without adequate sanitization before being incorporated into Location headers within 302 redirect responses. The root cause aligns with CWE-601 Open Redirect vulnerability category, where applications fail to validate user-supplied input before using it in redirect operations, creating a pathway for malicious actors to direct users to arbitrary destinations.
The technical implementation of this vulnerability allows attackers to inject malicious URLs into the dest parameter, which then gets embedded into HTTP Location headers. When browsers receive these headers, they automatically redirect users to the specified locations, making this a prime vector for open redirect attacks. The lack of input sanitization creates an HTTP Response Splitting condition where attackers can inject additional HTTP headers or manipulate response content. This vulnerability chain ultimately enables reflected cross-site scripting attacks because the malicious redirect can be crafted to include malicious JavaScript payloads that execute in users' browsers when they follow the redirect. The vulnerability operates at the application layer and can be exploited without authentication, making it particularly dangerous for network security appliances.
The operational impact of CVE-2024-52875 extends beyond simple redirect manipulation to include potential remote command execution capabilities through the upgrade feature in the admin interface. Attackers who successfully exploit the open redirect and XSS components can leverage the administrative upgrade functionality to execute arbitrary commands on the affected system, effectively compromising the entire network security appliance. This escalation path aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter and T1078.004 for Valid Accounts, as it allows attackers to gain administrative privileges and execute code on the target system. The vulnerability affects organizations using GFI Kerio Control appliances, potentially exposing critical network infrastructure to unauthorized access and malicious activities.
Mitigation strategies for CVE-2024-52875 require immediate action including applying the latest security patches from GFI, implementing input validation controls for all user-supplied parameters, and configuring proper URL validation mechanisms before generating redirect responses. Organizations should deploy web application firewalls to detect and block malicious redirect attempts, implement strict access controls for administrative interfaces, and monitor network traffic for suspicious redirect patterns. The fix should involve sanitizing the dest parameter by validating it against a whitelist of approved domains or implementing proper URL encoding before incorporating it into HTTP headers. Additionally, security teams should conduct thorough network segmentation, disable unnecessary administrative features, and implement comprehensive monitoring for any unauthorized access attempts to the affected system components.