CVE-2025-34069 – This authentication bypass vulnerability in GFI... (How to Fix)

Q: What is the severity of CVE-2025-34069?

CVE-2025-34069 has a CVSS score of 9.8 (CRITICAL). This authentication bypass vulnerability in GFI Kerio Control allows unauthenticated attackers to gain full administrative access to the firewall appliance by exploiting insecure proxy configuration. Organizations using GFI Kerio Control 9.4.5 with default settings are affected, particularly those with the appliance exposed to untrusted networks.

📋 TL;DR

This authentication bypass vulnerability in GFI Kerio Control allows unauthenticated attackers to gain full administrative access to the firewall appliance by exploiting insecure proxy configuration. Organizations using GFI Kerio Control 9.4.5 with default settings are affected, particularly those with the appliance exposed to untrusted networks.

💻 Affected Systems

Products:

GFI Kerio Control

Versions: 9.4.5

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default non-transparent proxy configuration on port 3128 and affects the GFIAgent service on ports 7995-7996.

📦 What is this software?

Kerio Control by Gfi

View all CVEs affecting Kerio Control →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the firewall appliance, enabling attackers to reconfigure firewall rules, intercept network traffic, deploy malware, and pivot to internal networks.

🟠

Likely Case

Unauthenticated attackers gain administrative access to the firewall, allowing them to modify security policies, create backdoors, and potentially execute remote code.

🟢

If Mitigated

If the appliance is properly segmented and the vulnerable ports are not exposed, impact is limited to internal network access only.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication via TCP port 3128, making internet-facing appliances extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to gain administrative control of the firewall.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to port 3128 and involves simple HTTP proxy requests to bypass authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.4.6 or later

Vendor Advisory: https://support.kerio.com/

Restart Required: Yes

Instructions:

1. Log into Kerio Control admin interface. 2. Navigate to System > Updates. 3. Apply available updates to version 9.4.6 or later. 4. Restart the appliance as prompted.

🔧 Temporary Workarounds

Block vulnerable ports

linux

Block access to TCP ports 3128, 7995, and 7996 from untrusted networks

iptables -A INPUT -p tcp --dport 3128 -j DROP
iptables -A INPUT -p tcp --dport 7995:7996 -j DROP

Disable non-transparent proxy

all

Disable the vulnerable proxy configuration in Kerio Control settings

🧯 If You Can't Patch

Segment the Kerio Control appliance to restrict network access to only trusted administrative networks
Implement strict firewall rules to block all external access to ports 3128, 7995, and 7996

🔍 How to Verify

Check if Vulnerable:

Test if you can access the GFIAgent service via proxy: curl -x http://[target]:3128 http://localhost:7995/api/v1/uuid

Check Version:

ssh admin@[kerio-control] 'cat /etc/version' or check in web admin interface

Verify Fix Applied:

After patching, the same test should return authentication errors or connection refused

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to /api/v1/ endpoints on ports 7995-7996
Proxy requests to internal GFIAgent services from unauthorized sources

Network Indicators:

Unusual HTTP traffic to port 3128 followed by requests to ports 7995-7996
External IPs accessing GFIAgent API endpoints

SIEM Query:

source_port=3128 AND (dest_port=7995 OR dest_port=7996) AND http_user_agent NOT CONTAINS 'Kerio'

📊 Metadata

CVE ID: CVE-2025-34069

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.54% exploit probability (67.1th percentile)

Published: July 2, 2025

Last Updated: September 17, 2025

🔗 References

https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce/ Exploit,Third Party Advisory
https://vulncheck.com/advisories/gfi-kerio-control-auth-bypass-rce Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34069, you might also want to check these: