CVE-2017-11317
published 2017-08-23CVE-2017-11317: Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-02
Exploited in the wild
EPSS
83.48%
99.6th percentile
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gfi | archiver | < 15.2 | 15.2 |
| quest | kace_desktop_authority | >= 10.0 < 11.2 | 11.2 |
| telerik | ui_for_asp.net_ajax | <= 2016.3.1027 | — |
| telerik | ui_for_asp.net_ajax | — | — |
| telerik | ui_for_asp.net_ajax | — | — |
| telerik | ui_for_asp.net_ajax | 2011.1.315 – 2020.1.114 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to the RadAsyncUpload endpoint with multipart boundary '-----------------------------68821516528156' and a 'rauPostData' field, which is the exploit delivery mechanism for CVE-2017-11317. ↗
- →Monitor for HTTP POST requests to 'Telerik.Web.UI.WebResource.axd?type=rau' — this is the vulnerable RadAsyncUpload endpoint targeted by CVE-2017-11317 exploitation. ↗
- →Alert on files named 'RAU_crypto.bypass' appearing on disk or in upload responses, as this is the bypass filename used by the public PoC exploit tool. ↗
- →Detect MSHTA spawning network connections or downloading .hta files from hard-coded IP addresses as a post-exploitation reverse shell delivery method following Telerik exploitation. ↗
- →Hunt for web shells dropped under C:\Users\Public\Music\ or C:\WebRoot\...\Images\Common\ directories, which are attacker-preferred staging paths after Telerik exploitation. ↗
- →Detect Windows Defender exclusion path additions (e.g., D:\) via PowerShell Add-MpPreference, a common post-exploitation defense evasion step observed after Telerik exploitation. ↗
- →The Telerik UI version can be fingerprinted from HTTP responses using the regex pattern matching '20\d{2}(.\d+)+' in the HTML; version 2013.1.417 (and other pre-R1 2017 versions) remain vulnerable. ↗
- →The Metasploit module for CVE-2019-18935 (chained with CVE-2017-11317) uploads a mixed-mode .NET assembly DLL via the RAU endpoint; detect DLL writes originating from the IIS/ASP.NET worker process (w3wp.exe). ↗
- ·CVE-2017-11317 uses hardcoded/weak encryption keys in RadAsyncUpload. The exploit requires knowing the Telerik UI version number (format YYYY.#(.###)?). Once the vendor patch is applied, keys are randomized — but the chained CVE-2019-18935 deserialization attack still requires the keys, so both CVEs are typically exploited together. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gxxx-8rjm-vqf3: File upload vulnerability in GFI Mail Archiver versions up to and including 15
ghsa_unreviewed·2022-07-08·CVSS 7.5
CVE-2021-29281 [HIGH] CWE-434 GHSA-gxxx-8rjm-vqf3: File upload vulnerability in GFI Mail Archiver versions up to and including 15
File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.
GHSA
GHSA-c655-3j45-33xw: Progress Telerik UI for ASP
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-18935 [CRITICAL] CWE-502 GHSA-c655-3j45-33xw: Progress Telerik UI for ASP
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (In 2019.3.1023 but not earlier versions, a non-default setting can prevent exploitation.)
GHSA
GHSA-9v96-j7x8-6wjv: Telerik
ghsa_unreviewed·2022-05-13
CVE-2017-11317 [CRITICAL] CWE-326 GHSA-9v96-j7x8-6wjv: Telerik
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
GHSA
GHSA-c7j6-8r6v-p532: An issue was discovered in Quest KACE Desktop Authority before 11
ghsa_unreviewed·2021-12-23·CVSS 9.8
CVE-2021-44029 [CRITICAL] CWE-502 GHSA-c7j6-8r6v-p532: An issue was discovered in Quest KACE Desktop Authority before 11
An issue was discovered in Quest KACE Desktop Authority before 11.2. This vulnerability allows attackers to execute remote code through a deserialization exploitation in the RadAsyncUpload function of ASP.NET AJAX. An attacker can leverage this vulnerability when the encryption keys are known (due to the presence of CVE-2017-11317, CVE-2017-11357, or other means). A default setting for the type whitelisting feature in more current versions of ASP.NET AJAX prevents exploitation.
VulnCheck
Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-11317 [CRITICAL] CWE-326 Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability
Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Affected: Progress User Interface (UI) for ASP.NET AJAX
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.telerik.com/blogs/blue-mockingbird-vulnerability-telerik-guidance; https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.group-ib.com/resources/research-hub/hi-tech-crime-trends-2022/; https://cisa.gov/news-events/cybersecurity-advisories/aa23-074a; https://www.cisa.gov/sites/default/file
CISA
Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability
cisa·2022-04-11·CVSS 9.8
CVE-2017-11317 [CRITICAL] CWE-326 Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability
Vulnerability: Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability
Affected: Telerik User Interface (UI) for ASP.NET AJAX
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-11317
Remediation Due Date: 2022-05-02
CISA ICS
Hitachi ABB Power Grids eSOMS Telerik
cisa_ics·2021-03-18·CVSS 9.8
[CRITICAL] Hitachi ABB Power Grids eSOMS Telerik
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hitachi ABB Power Grids eSOMS Telerik
Last RevisedMarch 18, 2021
Alert CodeICSA-21-077-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Hitachi ABB Power Grids
- Equipment: eSOMS Telerik
- Vulnerabilities: Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, Insufficiently Protected Credentials, Path Traversal
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to upload malicious files to the server, discover se
No detection rules found.
Exploit-DB
Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload
exploitdb·2018-01-24·CVSS 9.8
CVE-2017-11357 [CRITICAL] Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload
Telerik UI for ASP.NET AJAX 2012.3.1308 ))|' +
'(?<=Version%3d)20\d{2}(.\d+)+(?=%2c)|' +
'(?<=Version=)20\d{2}(.\d+)+(?=,)',
html
)
if match:
return match.group(0)
else:
return "No version result"
def payload(TempTargetFolder, Version, payload_filename):
sys.stderr.write("file: " + payload_filename + "\n")
sys.stderr.write("version: " + Version + "\n")
sys.stderr.write("destination " + TempTargetFolder + "\n")
sys.stderr.write("Preparing payload... \n")
payload_file = open(payload_filename, "r")
payload_file_data = payload_file.read()
payload_file.close()
quiet = True
data = "-----------------------------68821516528156\r\n"
data += "Content-Disposition: form-data; name=\"rauPostData\"\r\n"
data += "\r\n"
data += rauPostData_prep(quiet, TempTargetFolder, Version) + "\r\n"
data += "-----
Metasploit
Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization
metasploit·CVSS 9.8
CVE-2019-18935 [CRITICAL] Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization
Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization
This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').
Tenable
GFI Archiver v15.7 Multiple vulnerabilities
blogs_tenable·2025-06-10
GFI Archiver v15.7 Multiple vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Silent Skimmer Gets Loud (Again)
blogs_unit42·2024-11-07·CVSS 9.8
[CRITICAL] Silent Skimmer Gets Loud (Again)
## Executive Summary
In late May 2024, Unit 42 researchers observed an adversary compromising multiple web servers to gain access to the environment of a multinational organization headquartered in North America. Based on overlaps in adversary infrastructure and tools, as well as tactics, techniques and procedures (TTPs), it’s possible to attribute the activity identified to the same threat actor behind the Silent Skimmer campaign.
In September 2023, an online payment scraping campaign was uncovered and dubbed Silent Skimmer. Since then, there has been little to no news of Silent Skimmer – until now.
According to our research, the financially motivated threat actor behind the Silent Skimmer campaign is targeting organizations that host or create payment infrastructure and gateways. Unit
Unit42
Silent Skimmer Gets Loud (Again)
blogs_unit42·2024-11-07·CVSS 9.8
CVE-2017-11317 [CRITICAL] Silent Skimmer Gets Loud (Again)
## Silent Skimmer Gets Loud (Again)
Veronika Senderovych
Chema Garcia
Zack Fink
Published: November 7, 2024
Cybercrime
Threat Actor Groups
Threat Research
C++
CL-CRI-0941
CVE-2017-11317
CVE-2019-18935
GodPotato
Python
Remote Code Execution
Reverse shells
RingQ loader
Silent Skimmer
Telerik UI
## Executive Summary
In late May 2024, Unit 42 researchers observed an adversary compromising multiple web servers to gain access to the environment of a multinational organization headquartered in North America. Based on overlaps in adversary infrastructure and tools, as well as tactics, techniques and procedures (TTPs), it’s possible to attribute the activity identified to the same threat actor behind the Silent Skimmer campaign.
In September 2023, an online payment scraping
Tenable
CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server
blogs_tenable·2024-06-04·CVSS 9.9
[CRITICAL] CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Copy-Paste Compromises: Threat Actors Target Telerik UI, Citrix, and SharePoint Vulnerabilities (CVE-2019-18935)
blogs_tenable·2020-07-22·CVSS 9.8
[CRITICAL] Copy-Paste Compromises: Threat Actors Target Telerik UI, Citrix, and SharePoint Vulnerabilities (CVE-2019-18935)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
HackerOne
Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)
hackerone·2021-06-03·CVSS 9.8
CVE-2019-18935 [CRITICAL] Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)
Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)
**Description:**
https://██████/██████████/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system.
## References
https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui
## Impact
An attacker can execute code on the vulnerable server, allowing an attacker to gain a foothold and exfiltrate data. Depending on the security posture of the underlying system, an attacker may be able to escalate privileges or laterally move to other systems within the network using this access.
## System Host(s)
████
## Affected Product(s) and Version(s)
Tele
HackerOne
Remote Code Execution via CVE-2019-18935
hackerone·2020-08-13·CVSS 9.8
CVE-2019-18935 [CRITICAL] Remote Code Execution via CVE-2019-18935
Remote Code Execution via CVE-2019-18935
**Summary:**
The website at https://█████████/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system.
## Step-by-step Reproduction Instructions
1. Browse to https://█████/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau. You will see the following message confirming that the file upload handler is registered:
`{ "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." }`
2. From here on out I used the write-up at https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui for reference.
3. With a slight modificatio
HackerOne
Remote Code Execution via Insecure Deserialization in Telerik UI
hackerone·2020-05-07·CVSS 9.8
CVE-2017-11317 [CRITICAL] Remote Code Execution via Insecure Deserialization in Telerik UI
Remote Code Execution via Insecure Deserialization in Telerik UI
Hello,
I found an outdated version of Telerik Web UI (v2016.2.607.40) at the following URL: https://███/Telerik.Web.UI.WebResource.axd?type=rau.
This means that we can achieve full RCE by chaining two different CVEs: CVE-2017-11317, which allows us to upload arbitrary files on the server, and CVE-2019-18935, which is a deserialization vulnerability.
First of all, the only thing that I tried to prove that I had successfully achieved code execution was making the server sleep for 10 seconds.
No data was compromised.
Steps to reproduce
The steps that I followed are thoroughly described in this blog post: .
Here's a quick summary:
- Download the files in the attachments
- Make sure you have pycryptodome installed (pip3 install
http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.htmlhttp://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-uploadhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0006https://www.exploit-db.com/exploits/43874/http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.htmlhttp://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-uploadhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0006https://www.exploit-db.com/exploits/43874/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11317
2017-08-23
Published
2022-04-11
Added to CISA KEV
Exploited in the wild