CVE-2014-3857

Kerio Control < 8.3.2 - Authenticated SQL Injection via Statistics Print Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-3857. PoCs published by Khashayar Fereidani.

AI-analyzed exploit summary This is a writeup detailing a Boolean-based blind SQL injection vulnerability in Kerio Control <= 8.3.1. The vulnerability is in the /print.php endpoint, specifically in the x_16 and x_17 parameters, and requires a valid session.

Description

Multiple SQL injection vulnerabilities in Kerio Control Statistics in Kerio Control (formerly WinRoute Firewall) before 8.3.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) x_16 or (2) x_17 parameter to print.php.

Exploits (1)

exploitdb WRITEUP
by Khashayar Fereidani · textwebappsphp
https://www.exploit-db.com/exploits/33954

This is a writeup detailing a Boolean-based blind SQL injection vulnerability in Kerio Control <= 8.3.1. The vulnerability is in the /print.php endpoint, specifically in the x_16 and x_17 parameters, and requires a valid session.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Kerio Control <= 8.3.1
Auth required
Prerequisites: Valid client username and password · Valid session ID
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59215
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/33954
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/532607/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/108584

Scores

EPSS 0.0217
EPSS Percentile 79.9%

Details

CWE
CWE-89
Status published
Products (2)
kerio/control 8.3.0
kerio/control < 8.3.1
Published Jul 03, 2014
Tracked Since Feb 18, 2026