GFI Kerio Control Authentication Bypass and Remote Code Execution Vulnerability

An authentication bypass vulnerability has been identified in GFI Kerio Control version 9.4.5. This vulnerability arises from an insecure default proxy configuration and weak access controls in the GFIAgent service. The non-transparent proxy on TCP port 3128 can forward unauthenticated requests to internal services, bypassing firewall restrictions and exposing management endpoints. This allows unauthenticated attackers to access the GFIAgent service on ports 7995 and 7996, retrieve the appliance UUID, and issue administrative requests via the proxy, resulting in full administrative access to the Kerio Control appliance.

Impact

Exploitation of this vulnerability leads to unauthorized administrative access on the affected Kerio Control appliance.

Reproduction

The vulnerability can be reproduced by first enabling the non-transparent proxy service on TCP port 3128 and configuring the appropriate firewall rules to allow access to this port. Once the proxy is accessible, unauthenticated requests can be forwarded through the proxy to the GFIAgent service on ports 7995 and 7996. The appliance UUID can be retrieved from port 7995, and then used to make unauthenticated administrative requests through the proxy to port 7996.

Remediation

Users are advised to upgrade to GFI Kerio Control version 9.5.p1 or newer.