LOWCVE-2025-2976CVSS 3.5

CVE-2025-2976: Unrestricted File Upload in KerioConnect

Platform

other

Fixed in

10.0.7

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

CVE-2025-2976 is an Unrestricted File Upload vulnerability affecting GFI KerioConnect versions 10.0.6 through 10.0.6. This flaw allows attackers to upload arbitrary files, potentially leading to cross-site scripting (XSS) attacks. The vulnerability has been publicly disclosed and a patch is available in version 10.0.7, requiring immediate attention to prevent exploitation.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-2976 enables an attacker to upload malicious files to the KerioConnect server. These files, if crafted appropriately, can be leveraged to execute XSS attacks against users accessing the application. This could lead to session hijacking, defacement of the application, or the theft of sensitive user data. The ability to upload arbitrary files significantly expands the attack surface, allowing for a wide range of potential malicious payloads beyond simple XSS, potentially including remote code execution depending on server configuration and file handling routines.

Exploitation Context

This vulnerability was publicly disclosed on 2025-03-31. The exploit is publicly available, increasing the likelihood of exploitation. The CVSS score is LOW, suggesting the attack requires some level of user interaction or specific configuration to be successful. There is currently no indication of active exploitation campaigns targeting this vulnerability, but the public availability of the exploit warrants immediate attention.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

NextGuard10–15% still vulnerable

EPSS

0.07% (20% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impact

Affected Software

VendorGFI

Affected rangeFixed in

10.0.6 – 10.0.610.0.7

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2025-03-30
Published2025-03-31
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-2976 is to upgrade KerioConnect to version 10.0.7 or later, which contains the fix. If immediate upgrade is not possible, consider implementing temporary workarounds such as strict file type validation on the upload endpoint, limiting file sizes, and employing a Web Application Firewall (WAF) to block suspicious file uploads. Regularly review KerioConnect logs for any unusual file upload activity. After upgrading, confirm the vulnerability is resolved by attempting a file upload with a known malicious extension and verifying it is rejected.

How to fix

Update to a version later than 10.0.6 of KerioConnect, if available. If no version is available, contact the vendor for a patch or alternative solution. As a temporary measure, review and filter file inputs to prevent the injection of malicious code.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-2976 — Unrestricted File Upload in KerioConnect?

CVE-2025-2976 is a vulnerability in KerioConnect versions 10.0.6–10.0.6 that allows attackers to upload arbitrary files, potentially leading to cross-site scripting (XSS).

Am I affected by CVE-2025-2976 in KerioConnect?

Yes, if you are running KerioConnect versions 10.0.6–10.0.6, you are affected by this vulnerability and should upgrade immediately.

How do I fix CVE-2025-2976 in KerioConnect?

Upgrade KerioConnect to version 10.0.7 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.

Is CVE-2025-2976 being actively exploited?

While there is no confirmed active exploitation, the public availability of the exploit increases the risk of exploitation.

Where can I find the official KerioConnect advisory for CVE-2025-2976?

Refer to the official KerioConnect security advisory for detailed information and updates regarding CVE-2025-2976.