CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-34071

CVSS 9.4v4.0pub. 2025-07-02upd. 2025-09-17

A remote code execution vulnerability in GFI Kerio Control 9.4.5 allows attackers with administrative access to upload and execute arbitrary code through the firmware upgrade feature. The system upgrade mechanism accepts unsigned .img files, which can be modified to include malicious scripts within the upgrade.sh or disk image components. These modified upgrade images are not validated for authenticity or integrity, and are executed by the system post-upload, enabling root access.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Gfi Kerio Control

    APP
    Gfi
    9.4.5
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-34069CRITICAL9.5PL ✓ten sam produkt

Authentication Bypass w GFI Kerio Control — pełny dostęp admina bez uwierzytelnienia

CVE-2025-34070CRITICAL10.0PL ✓ten sam produkt

GFI Kerio Control – pominięcie uwierzytelnienia w komponencie GFIAgent (Auth Bypass)

CVE-2024-52875HIGH8.8ten sam produkt

An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonaut...

CVE-2019-16414MEDIUM6.1ten sam produkt

A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page...

CVE-2026-2038CRITICAL9.8PL ✓ten sam vendor

GFI Archiver MArc.Core — pominięcie autoryzacji (Authentication Bypass)