KerioControl is widely utilized by small and medium-sized businesses for various network security functions, including VPNs and traffic filtering.

The majority of the vulnerable instances are located in countries such as Iran, the United States, Italy, Germany, Russia, Kazakhstan, Uzbekistan, France, Brazil, and India.

In early January 2025, Greynoise reported active exploitation attempts using Romano's proof-of-concept exploit to steal admin CSRF tokens.

A critical remote code execution vulnerability, tracked as CVE-2024-52875, has been identified in over 12,000 GFI KerioControl firewall instances.

The Shadowserver Foundation has reported detecting 12,229 exposed KerioControl firewalls that are vulnerable to this significant security flaw.

This vulnerability was discovered by security researcher Egidio Romano in mid-December 2024, who demonstrated its potential for one-click remote code execution attacks.

Romano highlighted that the vulnerability arises from improper sanitization of user input, which can lead to HTTP Response Splitting attacks, resulting in reflected Cross-Site Scripting (XSS) and potential remote code execution.

The public availability of the proof-of-concept exploit significantly lowers the barrier for unskilled hackers to execute attacks.

To mitigate this vulnerability, it is strongly advised that users install KerioControl version 9.4.5 Patch 2, which was released on January 31, 2025, and includes additional security enhancements.

Despite the release of an initial patch (version 9.4.5 Patch 1) on December 19, 2024, over 23,800 instances remained unpatched three weeks later, according to Censys.