Description
A missing authentication vulnerability in the GFIAgent component of GFI Kerio Control 9.4.5 allows unauthenticated remote attackers to perform privileged operations. The GFIAgent service, responsible for integration with GFI AppManager, exposes HTTP services on ports 7995 and 7996 without proper authentication. The /proxy handler on port 7996 allows arbitrary forwarding to administrative endpoints when provided with an Appliance UUID, which itself can be retrieved from port 7995. This results in a complete authentication bypass, permitting access to sensitive administrative APIs.
References (2)
Core 2
Core References
Exploit, Third Party Advisory third-party-advisory
technical-description
exploit
https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce/
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/gfi-kerio-control-auth-bypass-rce
Scores
CVSS v3
9.8
EPSS
0.0069
EPSS Percentile
47.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (1)
gfi/kerio_control
9.4.5
Published
Jul 02, 2025
Tracked Since
Feb 18, 2026