CVE-2003-0220

Kerio Personal Firewall <2.1.4 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2003-0220. PoCs published by Metasploit, y0, Burebista, including Metasploit module exploits/windows/firewall/kerio_auth.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in Kerio Personal Firewall 2.1.4's authentication process. It sends a maliciously crafted packet to trigger the overflow and execute arbitrary code via a reverse shell.

Description

Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16465

This exploit targets a stack buffer overflow in Kerio Personal Firewall 2.1.4's authentication process. It sends a maliciously crafted packet to trigger the overflow and execute arbitrary code via a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kerio Personal Firewall 2.1.4
No auth needed
Prerequisites: Network access to the target system · Kerio Personal Firewall 2.1.4 running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by y0 · remotewindows
https://www.exploit-db.com/exploits/1537

This exploit targets a stack-based buffer overflow in Kerio Personal Firewall 2.1.4's authentication process. It sends a crafted packet with alphanumeric padding, shellcode, and a return address to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kerio Personal Firewall 2.1.4
No auth needed
Prerequisites: Network access to target port (44334 by default) · Target OS and version matching one of the provided addresses
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Burebista · cremotewindows
https://www.exploit-db.com/exploits/28

This exploit targets a buffer overflow vulnerability in Kerio Personal Firewall v2.1.4, allowing remote code execution via a crafted packet sent to port 44334. The shellcode downloads and executes a payload from a remote URL.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kerio Personal Firewall v2.1.4
No auth needed
Prerequisites: Network access to the target's port 44334 · Firewall configured to allow traffic to the port
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by ThreaT · cremotewindows
https://www.exploit-db.com/exploits/22418

This exploit targets a buffer overflow vulnerability in Kerio Personal Firewall and Tiny Personal Firewall during the administration authentication process. It sends a malicious packet with excessive data to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kerio Personal Firewall 2.1.4 and earlier, Tiny Personal Firewall 2.0.15
No auth needed
Prerequisites: Network access to the target system · Target system running vulnerable firewall software
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Core Security · pythondoswindows
https://www.exploit-db.com/exploits/22417

This exploit targets a buffer overflow vulnerability in Kerio Personal Firewall 2.1.4 and earlier during the administration authentication process. It sends a malicious packet with excessive data to trigger the overflow, potentially allowing arbitrary command execution with firewall privileges.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Kerio Personal Firewall <= 2.1.4
No auth needed
Prerequisites: Network access to the target system · Kerio Personal Firewall running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/firewall/kerio_auth.rb

This Metasploit module exploits a stack buffer overflow in Kerio Personal Firewall 2.1.4 by sending a maliciously crafted authentication packet to port 44334, leading to remote code execution. The exploit uses a NOP sled, encoded payload, and target-specific return addresses to achieve reliability.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kerio Personal Firewall 2.1.4
No auth needed
Prerequisites: Network access to the target system · Kerio Personal Firewall 2.1.4 running on a vulnerable Windows system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/454716
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/7180
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105155734411836&w=2
Exploit, Patch, Vendor Advisory x_refsource_misc
http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10

Scores

EPSS 0.6859
EPSS Percentile 99.2%

Details

Status published
Products (5)
kerio/personal_firewall_2 2.1
kerio/personal_firewall_2 2.1.1
kerio/personal_firewall_2 2.1.2
kerio/personal_firewall_2 2.1.3
kerio/personal_firewall_2 2.1.4
Published May 12, 2003
Tracked Since Feb 18, 2026