CVSS: 9.8EPSS: %CPEs: 1EXPL: 1CVE-2025-34071 – GFI Kerio Control Unsigned System Image Upload Root Code Execution
https://notcve.org/view.php?id=CVE-2025-34071
02 Jul 2025 — A remote code execution vulnerability in GFI Kerio Control 9.4.5 allows attackers with administrative access to upload and execute arbitrary code through the firmware upgrade feature. The system upgrade mechanism accepts unsigned .img files, which can be modified to include malicious scripts within the upgrade.sh or disk image components. These modified upgrade images are not validated for authenticity or integrity, and are executed by the system post-upload, enabling root access. • https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce • CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: %CPEs: 1EXPL: 1CVE-2025-34070 – GFI Kerio Control GFIAgent Missing Authentication on Administrative Interfaces
https://notcve.org/view.php?id=CVE-2025-34070
02 Jul 2025 — A missing authentication vulnerability in the GFIAgent component of GFI Kerio Control 9.4.5 allows unauthenticated remote attackers to perform privileged operations. The GFIAgent service, responsible for integration with GFI AppManager, exposes HTTP services on ports 7995 and 7996 without proper authentication. The /proxy handler on port 7996 allows arbitrary forwarding to administrative endpoints when provided with an Appliance UUID, which itself can be retrieved from port 7995. This results in a complete ... • https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 1CVE-2025-34069 – GFI Kerio Control GFIAgent Authentication Bypass via Proxy Forwarding
https://notcve.org/view.php?id=CVE-2025-34069
02 Jul 2025 — An authentication bypass vulnerability exists in GFI Kerio Control 9.4.5 due to insecure default proxy configuration and weak access control in the GFIAgent service. The non-transparent proxy on TCP port 3128 can be used to forward unauthenticated requests to internal services such as GFIAgent, bypassing firewall restrictions and exposing internal management endpoints. This enables unauthenticated attackers to access the GFIAgent service on ports 7995 and 7996, retrieve the appliance UUID, and issue adminis... • https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce • CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 80%CPEs: 1EXPL: 1CVE-2024-52875 – GFI Kerio Control 9.4.5 HTTP Response Splitting
https://notcve.org/view.php?id=CVE-2024-52875
17 Dec 2024 — An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade featu... • https://packetstorm.news/files/id/183183 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •