CVE-2024-4358
published 2024-05-29CVE-2024-4358: In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-07-04
Exploited in the wild
EPSS
97.48%
99.9th percentile
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress_software_corporation | telerik_report_server | >= 1.0.0 < 10.1.24.514 | 10.1.24.514 |
| telerik | report_server_2024 | <= 10.0.24.305 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to /Startup/Register on Telerik Report Server IIS deployments; this endpoint should not be accessible post-setup and its use indicates exploitation of CVE-2024-4358. ↗
- →Alert on POST requests to /api/reportserver/report with a Bearer token obtained shortly after a /Startup/Register call; this is the deserialization payload upload step in the RCE chain (CVE-2024-1800). ↗
- →Inspect uploaded .trdp report files for a ResourceDictionary element containing ObjectDataProvider; this XML construct is used to trigger deserialization RCE. ↗
- →Review Telerik Report Server user list at /Users/Index for unexpected new Local accounts; newly created accounts with no legitimate origin are a post-exploitation indicator of CVE-2024-4358 abuse. ↗
- →The Metasploit module for this CVE chain executes OS commands as NT AUTHORITY\SYSTEM via a crafted .trdp report upload; hunt for cmd.exe or PowerShell spawned as child processes of the Telerik Report Server application pool worker process (w3wp.exe). ↗
- →Check Point IPS signature 'Progress Telerik Report Server Remote Code Execution' can be used to detect exploitation attempts against CVE-2024-4358. ↗
- ·The Metasploit module targets Telerik Report Server version 10.0.24.130 and prior; the broader CVE-2024-4358 advisory covers all versions up to and including 2024 Q1 (10.0.24.305). Ensure detection scope covers the full affected version range. ↗
- ·The Metasploit module will not delete the rogue admin account it creates (only the uploaded report is cleaned up), so account-based forensic indicators persist post-exploitation. ↗
- ·CVE-2024-4358 only applies to deployments on IIS; non-IIS hosting configurations are not affected by this specific authentication bypass. ↗
- ·Full RCE requires chaining CVE-2024-4358 with the separate deserialization bug CVE-2024-1800; patching only one flaw is insufficient to prevent the complete attack chain. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability
cisa·2024-06-13·CVSS 9.8
CVE-2024-4358 [CRITICAL] CWE-290 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability
Vulnerability: Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability
Affected: Progress Telerik Report Server
Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358; https://nvd.nist.gov/vuln/detail/CVE-2024-4358
Remediation Due Date: 2024-07-04
VulnCheck
Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-4358 [CRITICAL] CWE-290 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability
Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability
Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.
Affected: Progress Telerik Report Server
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-07&host_type=src&vulnerability=cve-2024-4358; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-08&host_type=src&vulnerability=cve-2024-4358; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-09&host_type=src&vulnerability=
No detection rules found.
Exploit-DB
Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass
exploitdb·2025-03-28·CVSS 9.8
CVE-2024-4358 [CRITICAL] Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass
Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass
---
# Exploit Title: Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass
# Fofa Dork: title="Telerik Report Server"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-4358
# Vendor Homepage: https://www.telerik.com/report-server
# Software Link: https://www.telerik.com/report-server
# Version: 2024 Q1 (10.0.24.305) and earlier
# Tested on: Windows Server 2019
# CVE: CVE-2024-4358
import aiohttp
import asyncio
from alive_progress import alive_bar
from colorama import Fore, Style
import os
import aiofiles
import time
import random
import argparse
from fake_useragent import UserAgent
import uvloop
import string
import zipfile
import base64
Nuclei
Progress Telerik Report Server - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-4358 [CRITICAL] Progress Telerik Report Server - Authentication Bypass
Progress Telerik Report Server - Authentication Bypass
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
Template:
id: CVE-2024-4358
info:
name: Progress Telerik Report Server - Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
impact: An unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
Metasploit
Telerik Report Server Auth Bypass and Deserialization RCE
metasploit·CVSS 8.8
CVE-2024-4358 [HIGH] Telerik Report Server Auth Bypass and Deserialization RCE
Telerik Report Server Auth Bypass and Deserialization RCE
This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior. The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges. The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an OS command as NT AUTHORITY\SYSTEM. The module will automatically delete the created report but not the account because users are unable to delete themselves.
Metasploit
Telerik Report Server Auth Bypass
metasploit
Telerik Report Server Auth Bypass
Telerik Report Server Auth Bypass
This module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and prior which allows an unauthenticated attacker to create a new account with administrative privileges. The vulnerability leverages the initial setup page which is still accessible once the setup process has completed. If either USERNAME or PASSWORD are not specified, then a random value will be selected. The module will fail if the specified USERNAME already exists.
Bleepingcomputer
Progress warns of critical RCE bug in Telerik Report Server
blogs_bleepingcomputer·2024-07-25·CVSS 9.9
CVE-2024-6327 [CRITICAL] Progress warns of critical RCE bug in Telerik Report Server
## Progress warns of critical RCE bug in Telerik Report Server
## Sergiu Gatlan
Progress Software has warned customers to patch a critical remote code execution security flaw in the Telerik Report Server that can be used to compromise vulnerable devices.
As a server-based reporting platform, Telerik Report Server provides centralized storage for reports and the tools needed to create, deploy, deliver, and manage them across an organization.
Tracked as CVE-2024-6327 , the vulnerability is due to a deserialization of untrusted data weakness that attackers can exploit to gain remote code execution on unpatched servers.
The vulnerability impacts Report Server 2024 Q2 (10.1.24.514) and earlier and was patched in version 2024 Q2 (10.1.24.709) .
"Updating to Report Server 2024 Q2 (10.1.24.7
Checkpoint
10th June – Threat Intelligence Report
blogs_checkpoint·2024-06-10
CVE-2024-4577 10th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th June, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Pathology services provider Synnovis has experienced a ransomware attack that affected procedures and operations in several major hospitals in London, including the Department of Health and Social Care, NHS Qilin (formerly Agenda) ransomware gang claimed responsibility for the attack.
Check Point Threat Emulation provides prot
Tenable
CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server
blogs_tenable·2024-06-04·CVSS 9.9
[CRITICAL] CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Exploit for critical Progress Telerik auth bypass released, patch now
blogs_bleepingcomputer·2024-06-03·CVSS 9.9
[CRITICAL] Exploit for critical Progress Telerik auth bypass released, patch now
## Exploit for critical Progress Telerik auth bypass released, patch now
## Bill Toulas
Researchers have published a proof-of-concept (PoC) exploit script demonstrating a chained remote code execution (RCE) vulnerability on Progress Telerik Report Servers.
The Telerik Report Server is an API-powered end-to-end encrypted report management solution organizations use to streamline the creation, sharing, storage, distribution, and scheduling of reports.
Cybersecurity researcher Sina Kheirkha developed the exploit with the help of Soroush Dalili and has now published a detailed write-up that describes the intricate process of exploiting two flaws, an authentication bypass and a deserialization issue, to execute code on the target.
## Creating rogue admin accounts
The authentication bypass
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Greynoiseio
NoiseLetter June 2024
blogs_greynoiseio
NoiseLetter June 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-05-29
Published
2024-06-13
Added to CISA KEV
Exploited in the wild