cbcvebase.
CVE-2024-1800
published 2024-03-20

CVE-2024-1800: In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization…

PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
40.38%
98.5th percentile
In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
progresstelerik_report_server< 10.0.24.13010.0.24.130
progress_software_corporationtelerik_report_server>= 1.00 < 2024 Q1 (10.0.24.130)2024 Q1 (10.0.24.130)

Detection & IOCsextracted from sources · hover to see the quote

url/Startup/Register
url/api/reportserver/report
commandcmd.exe
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Telerik Deserialization Attempt - POST to Vulnerable Path with Specific Extension (CVE-2024-1800)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/reportserver/report"; endswith; fast_pattern; http.request_body; content:"|22|reportName|22|"; content:"|22|reportContent|22|"; content:"|22|extension|22|"; pcre:"/^[^\x22]+\x22\.tr(d|b)p\x22/Ri"; reference:cve,2024-1800; classtype:attempted-admin; sid:2053448; rev:1; metadata:attack_target Server, created_at 2024_06_11, cve CVE_2024_1800, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Look for unauthenticated POST requests to /Startup/Register — this endpoint should not be accessible post-setup and its use indicates exploitation of the auth bypass (CVE-2024-4358) chained with CVE-2024-1800.
  • Detect POST requests to /api/reportserver/report with a body containing 'reportName', 'reportContent', 'extension', and a filename ending in .trdp or .trbp — this matches the malicious report upload used for deserialization RCE.
  • Inspect XML payloads sent to the Report Server for 'ResourceDictionary' and 'ObjectDataProvider' elements, which are the key indicators of the deserialization exploit payload.
  • Review the Report Server users list at '{host}/Users/Index' for unrecognized Local users — rogue admin accounts created via the auth bypass will appear here.
  • Use the Shodan query 'title:"Log in | Telerik Report Server"' to identify internet-exposed Report Server instances for asset inventory and exposure assessment.
  • The Metasploit module targets Report Server version 10.0.24.130 and prior; flag any such version string observed in HTTP response headers or banners as a high-priority patching target.
  • ·The Metasploit module will automatically delete the crafted report after exploitation but will NOT delete the rogue admin account it creates, leaving a persistent backdoor account on the system.
  • ·A temporary mitigation (short of patching) is to change the Report Server Application Pool user to one with limited permissions, which reduces the blast radius of exploitation but does not remove the vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.