cbcvebase.
CVE-2024-4358
published 2024-05-29

CVE-2024-4358: In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-07-04
Exploited in the wild
EPSS
97.48%
99.9th percentile
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
progress_software_corporationtelerik_report_server>= 1.0.0 < 10.1.24.51410.1.24.514
telerikreport_server_2024<= 10.0.24.305

Detection & IOCsextracted from sources · hover to see the quote

url/Startup/Register
path/Startup/Register
path/Token
path/api/reportserver/report
path/api/reports/clients
path/Users/Index
filenamepayloads.trdp
filenamedefinition.xml
othershodan-query: title:"Log in | Telerik Report Server"
otherFofa Dork: title="Telerik Report Server"
  • Monitor for unauthenticated POST requests to /Startup/Register on Telerik Report Server IIS deployments; this endpoint should not be accessible post-setup and its use indicates exploitation of CVE-2024-4358.
  • Alert on POST requests to /api/reportserver/report with a Bearer token obtained shortly after a /Startup/Register call; this is the deserialization payload upload step in the RCE chain (CVE-2024-1800).
  • Inspect uploaded .trdp report files for a ResourceDictionary element containing ObjectDataProvider; this XML construct is used to trigger deserialization RCE.
  • Review Telerik Report Server user list at /Users/Index for unexpected new Local accounts; newly created accounts with no legitimate origin are a post-exploitation indicator of CVE-2024-4358 abuse.
  • The Metasploit module for this CVE chain executes OS commands as NT AUTHORITY\SYSTEM via a crafted .trdp report upload; hunt for cmd.exe or PowerShell spawned as child processes of the Telerik Report Server application pool worker process (w3wp.exe).
  • Check Point IPS signature 'Progress Telerik Report Server Remote Code Execution' can be used to detect exploitation attempts against CVE-2024-4358.
  • ·The Metasploit module targets Telerik Report Server version 10.0.24.130 and prior; the broader CVE-2024-4358 advisory covers all versions up to and including 2024 Q1 (10.0.24.305). Ensure detection scope covers the full affected version range.
  • ·The Metasploit module will not delete the rogue admin account it creates (only the uploaded report is cleaned up), so account-based forensic indicators persist post-exploitation.
  • ·CVE-2024-4358 only applies to deployments on IIS; non-IIS hosting configurations are not affected by this specific authentication bypass.
  • ·Full RCE requires chaining CVE-2024-4358 with the separate deserialization bug CVE-2024-1800; patching only one flaw is insufficient to prevent the complete attack chain.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.