In the cybersecurity industry, it’s easy to get caught up in chasing flashy zero-days or high-severity CVEs. But sometimes, it’s the seemingly low-severity issues that have the potential to cause the most significant damage. My recent deep dive into HTTP Response Splitting vulnerabilities affecting Kerio Control serves as a stark reminder of this reality.

GFI Kerio Control, a pretty popular firewall solution, has been plagued by some vulnerabilities over the years. One security issue I discovered and investigated, CVE-2024-52875, demonstrates how even a minor flaw can lead to a critical problem when strategically exploited. Let’s break down two key lessons from this research: the underestimated power of low-severity issues and the dangers of unpatched legacy vulnerabilities.

Lesson 1: Low-Severity Issues Can Be a Springboard to Critical Exploits

CVE-2024-52875 was initially assessed as a low-severity issue. On the surface, it didn’t seem like a showstopper. However, through careful analysis and chaining with other conditions, I was able to demonstrate how this minor vulnerability could be weaponized to achieve a significant impact: the ability to carry out 1-click Remote Code Execution (RCE) attacks, potentially granting attackers root access to the firewall!

This isn’t an isolated case. Low-severity ratings often lead teams to underestimate these issues, overlooking them during triage. However, attackers love low-hanging fruit! These seemingly insignificant flaws, when exploited in tandem with other vulnerabilities or misconfigurations, can lead to severe consequences such as privilege escalation or data exfiltration.
This serves as a call to action for security teams to:

• Reevaluate their approach to low-severity findings.
• Invest in regular threat modeling to identify how such flaws could be chained with other issues.
• Prioritize fixes not just based on CVSS scores, but on potential real-world impact.

Lesson 2: The Persistence of Old Vulnerabilities

While analyzing Kerio Control, I was struck by another glaring issue: the persistence of vulnerabilities that had remained unaddressed for nearly a decade. Some of these flaws traced back at least nine years to legacy code that had been overlooked or deprioritized during updates. Indeed, a quick look at this Exploit-DB page reveals four distinct Kerio Control vulnerabilities disclosed back in 2015:

1. SQL Injection
2. Cross Site Scripting (XSS)
3. Remote Command Execution via File Upload
4. Remote Command Execution through CSRF

It seems that only the first two issues were resolved at the time. The latter two — (3) and (4) — are present in Kerio Control versions up to 9.4.5. To provide context:

• Vulnerability (3): this is exploitable only by authenticated admin users, it might have been seen by the vendor as a "by-design feature" rather than a flaw.
• Vulnerability (4): requires chaining with another issue, such as an XSS, to exploit. It’s likely this complexity contributed to it being overlooked and not considered as a "real" security issue.

Interestingly, Kerio Control’s release notes for version 9.4.5 Patch 1 indicate some progress on this matter:

• Hardened against XSS exploits.
• Resolved CVE-2024-52875.

While I haven’t tested whether this update fully addresses vulnerability (4), I confirmed it correctly fixes my recent vulnerabilities, namely CVE-2024-52875. This highlights the challenge of addressing legacy vulnerabilities: they often go unnoticed or deprioritized, especially when they are considered low risk or too complex to exploit.

The persistence of old vulnerabilities presents a serious problem in cybersecurity. Legacy code is often treated as a black box, with software vendors hesitant to touch it due to fears of breaking functionality. However, this approach leaves software products and their users exposed to serious risks over time.

In Kerio Control’s case, attackers who know the history of these vulnerabilities can exploit them with minimal effort, creating a perfect storm of exploitation opportunities.
To fight against this, software vendors must:

• Perform regular audits of legacy code and third-party libraries.
• Integrate robust patch management strategies to ensure new and old vulnerabilities are addressed.
• Educate developers and security teams on the importance of addressing security vulnerabilities.

Exploitation in the Wild

The critical nature of these vulnerabilities became evident as just two weeks after my public disclosure, exploitation in the wild became evident: GreyNoise Intelligence reported active exploitation attempts starting from December 28, 2024, as you can see here.

Number of exploitation attempts per unique IP address. Source: GreyNoise

Furthermore, cybersecurity news outlets, including The Hacker News, SecurityWeek, and BleepingComputer, highlighted how attackers have tried to exploit the flaws to steal admin CSRF tokens and potentially compromise entire systems.

This real-world exploitation underscores the importance of swift remediation once a vulnerability is disclosed. The amount of time between disclosure and exploitation is shrinking, making proactive defense more critical than ever.

Conclusion

My work on these Kerio Control flaws underscores the critical need for software vendors to treat all vulnerabilities — whether low, old, high or critical — with the respect they deserve. As a penetration tester working on many tests with Cobalt customers over the years, I have noticed an emphasis on chasing down the latest threats - which makes sense, they are in the news and top of mind. However, penetration testing is about so much more than current events. It should ensure that a system's defenses are properly applied and effective. This includes managing technical debt and every aspect of a system's lifecycle.

By shifting our perspective on low-severity vulnerabilities and embracing a proactive approach to legacy code, we can build stronger, more resilient systems. Let’s help prevent today’s overlooked issues from becoming tomorrow’s crises.

Discover how Cobalt’s offensive security solutions can help protect your business. Request your personalized demo today and take the first step toward proactive security.