CVE-2025-34069 is a critical authentication bypass vulnerability affecting GFI Software's Kerio Control version 9.4.5. The root cause lies in an insecure default configuration of the non-transparent proxy service listening on TCP port 3128, combined with weak access controls in the GFIAgent service. This proxy can be exploited by unauthenticated attackers to forward requests to internal services that are normally protected by firewall rules, specifically targeting the GFIAgent service on ports 7995 and 7996. By leveraging this proxy, attackers can bypass firewall restrictions and access internal management endpoints without any authentication. Once accessed, the attacker can retrieve sensitive information such as the appliance UUID and issue administrative commands through the proxy, effectively gaining full administrative control over the Kerio Control appliance. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), indicating that critical functions are exposed without proper authentication checks. The CVSS v4.0 score of 9.5 (critical) reflects the high impact and ease of exploitation, with no user interaction or privileges required. Although no public exploits have been reported yet, the vulnerability's nature and severity make it a significant threat to organizations using the affected version of Kerio Control. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.

For European organizations, the impact of this vulnerability is substantial. Kerio Control is widely used as a network security appliance providing firewall, VPN, and routing services. Full administrative access to the appliance allows attackers to manipulate firewall rules, intercept or redirect network traffic, disable security features, and potentially pivot to other internal systems. This compromises confidentiality, integrity, and availability of network resources. Sensitive data traversing the network could be exposed or altered, and network defenses could be rendered ineffective. Critical infrastructure operators, government agencies, financial institutions, and enterprises relying on Kerio Control for perimeter security are at heightened risk. The ability to bypass authentication without user interaction means automated attacks could rapidly compromise multiple devices. The exposure of internal management endpoints also increases the risk of lateral movement within networks. Given the appliance’s role in enforcing security policies, exploitation could lead to severe operational disruptions and data breaches, with regulatory and reputational consequences under European data protection laws such as GDPR.

1. Immediate mitigation should include disabling or restricting access to the non-transparent proxy service on TCP port 3128, especially from untrusted networks. 2. Network segmentation should be enforced to isolate management interfaces (ports 7995 and 7996) from general network access, allowing only trusted administrative hosts to connect. 3. Implement strict firewall rules to block unauthorized forwarding of requests to internal services via the proxy. 4. Monitor network traffic for unusual proxy usage patterns or unexpected access to GFIAgent service ports. 5. If possible, upgrade to a patched version of Kerio Control once available; in the meantime, consider applying vendor-recommended workarounds or configuration changes to disable the vulnerable proxy feature. 6. Employ multi-factor authentication and strong access controls on administrative interfaces to reduce risk if the vulnerability is exploited. 7. Conduct regular audits of appliance configurations to ensure no insecure defaults remain enabled. 8. Maintain up-to-date intrusion detection/prevention systems to detect exploitation attempts targeting this vulnerability.