// For flags

CVE-2019-18935

Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

15
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

Act
*SSVC
Descriptions

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Progress Telerik UI para ASP.NET AJAX hasta 2019.3.1023 contiene una vulnerabilidad de deserialización de .NET en la función RadAsyncUpload. Esto es explotable cuando las claves de cifrado se conocen debido a la presencia de CVE-2017-11317 o CVE-2017-11357, u otros medios. La explotación puede resultar en la ejecución remota de código. (A partir de 2020.1.114, una configuración predeterminada evita la explotación. En 2019.3.1023, pero no en versiones anteriores, una configuración no predeterminada puede evitar la explotación).

The Telerik UI for ASP.NET AJAX insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the software's underlying host.

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Act
Exploitation
Active
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2019-11-13 CVE Reserved
  • 2019-12-11 CVE Published
  • 2019-12-18 First Exploit
  • 2021-11-03 Exploited in Wild
  • 2022-05-03 KEV Due Date
  • 2025-01-08 EPSS Updated
  • 2025-02-04 CVE Updated
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
References (24)
URL Tag Source
http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html Third Party Advisory
https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html Not Applicable
https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data Media Coverage
https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29 Release Notes
https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload
https://github.com/straightblast/UnRadAsyncUpload/wiki
https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui
URL Date SRC
https://packetstorm.news/files/id/159653 2020-10-20
https://packetstorm.news/files/id/155720 2019-12-18
https://www.exploit-db.com/exploits/47793 2019-12-18
https://github.com/noperator/CVE-2019-18935 2025-02-04
https://github.com/murataydemir/CVE-2019-18935 2020-08-25
https://github.com/random-robbie/CVE-2019-18935 2020-09-30
https://github.com/dust-life/CVE-2019-18935-memShell 2023-12-25
https://github.com/0xAgun/CVE-2019-18935-checker 2021-10-29
https://github.com/bao7uo/RAU_crypto 2025-02-04
https://github.com/becrevex/Telerik_CVE-2019-18935 2022-06-27
https://github.com/ThanHuuTuan/Telerik_CVE-2019-18935 2024-09-14
https://github.com/appliedi/Telerik_CVE-2019-18935 2021-07-21
https://github.com/KasunPriyashan/Telerik-UI-ASP.NET-AJAX-Exploitation 2022-10-13
http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html 2025-02-04
https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui 2025-02-04
URL Date SRC
https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization 2019-12-09
URL Date SRC
https://www.telerik.com/support/whats-new/release-history 2024-07-25
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Telerik
Search vendor "Telerik"
 Ui For Asp.net Ajax
Search vendor "Telerik" for product "Ui For Asp.net Ajax"
 >= 2011.1.315 <= 2020.1.114
Search vendor "Telerik" for product "Ui For Asp.net Ajax" and version " >= 2011.1.315 <= 2020.1.114"
-
Affected