cbcvebase.
CVE-2017-11317
published 2017-08-23

CVE-2017-11317: Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-02
Exploited in the wild
EPSS
83.48%
99.6th percentile
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

Affected

6 ranges
VendorProductVersion rangeFixed in
gfiarchiver< 15.215.2
questkace_desktop_authority>= 10.0 < 11.211.2
telerikui_for_asp.net_ajax<= 2016.3.1027
telerikui_for_asp.net_ajax
telerikui_for_asp.net_ajax
telerikui_for_asp.net_ajax2011.1.315 – 2020.1.114

Detection & IOCsextracted from sources · hover to see the quote

url/Telerik.Web.UI.WebResource.axd?type=rau
url/Archiver/Telerik.Web.UI.WebResource.axd?type=rau
  • Detect HTTP POST requests to the RadAsyncUpload endpoint with multipart boundary '-----------------------------68821516528156' and a 'rauPostData' field, which is the exploit delivery mechanism for CVE-2017-11317.
  • Monitor for HTTP POST requests to 'Telerik.Web.UI.WebResource.axd?type=rau' — this is the vulnerable RadAsyncUpload endpoint targeted by CVE-2017-11317 exploitation.
  • Alert on files named 'RAU_crypto.bypass' appearing on disk or in upload responses, as this is the bypass filename used by the public PoC exploit tool.
  • Detect MSHTA spawning network connections or downloading .hta files from hard-coded IP addresses as a post-exploitation reverse shell delivery method following Telerik exploitation.
  • Hunt for web shells dropped under C:\Users\Public\Music\ or C:\WebRoot\...\Images\Common\ directories, which are attacker-preferred staging paths after Telerik exploitation.
  • Detect Windows Defender exclusion path additions (e.g., D:\) via PowerShell Add-MpPreference, a common post-exploitation defense evasion step observed after Telerik exploitation.
  • The Telerik UI version can be fingerprinted from HTTP responses using the regex pattern matching '20\d{2}(.\d+)+' in the HTML; version 2013.1.417 (and other pre-R1 2017 versions) remain vulnerable.
  • The Metasploit module for CVE-2019-18935 (chained with CVE-2017-11317) uploads a mixed-mode .NET assembly DLL via the RAU endpoint; detect DLL writes originating from the IIS/ASP.NET worker process (w3wp.exe).
  • ·CVE-2017-11317 uses hardcoded/weak encryption keys in RadAsyncUpload. The exploit requires knowing the Telerik UI version number (format YYYY.#(.###)?). Once the vendor patch is applied, keys are randomized — but the chained CVE-2019-18935 deserialization attack still requires the keys, so both CVEs are typically exploited together.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.