Improper Access Control: Partial Firewall Bypass (UDP) in Kerlink Gateways
Improper Access Control: Partial Firewall Bypass (UDP) in Kerlink Gateways
Improper Access Control: Partial Firewall Bypass (UDP) in Kerlink Gateways
| CVE ID | CVE-2024-32388 |
| CVE Link | https://nvd.nist.gov/vuln/detail/CVE-2024-32388 |
| Vendor | Kerlink |
| Affected Product & Version | KerOS <= 5.11 |
| Vulnerability Type | CWE-284: Improper Access Control |
| CVSS Base Score / CVSS Vector | NVD: Waiting for Analysis BDO: 5.3 Medium / |
| Author | Martin Weißbach |
| Date | 2025-11-21 |
CVE Details
Description:
Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially crafted UDP packets. This allows an attacker to bypass the firewall and access UDP-based services that would otherwise be protected.
Remediation:
Update to KerOS 5.12.
References:
- https://keros.docs.kerlink.com/security/security_advisories_kerOS5
- https://wikikerlink.fr/wirnet-productline/doku.php?id=wiki:resources:sw_history#keros_firmware_v5120_november_2025
Timeline
2024-03-19: Vulnerability reported to Kerlink
2024-03-23: Kerlink informed us that the issues were under analysis
2024-03-29: Vendor confirmed the vulnerabilities and provided an update on the current status of the analysis, including potential fixes
2024-04-08: We provided feedback on the potential fixes
2024-04-28: Vendor provided an update on the status of the potential fixes
2024-06-11: We reported additional vulnerabilities; ongoing communication regarding these issues
2025-08-05: Informed Kerlink of our intention to release the CVEs
2025-11-06: Vendor released an update
2025-11-21: CVE published