Getty Images/iStockphoto

Critical Progress Telerik vulnerability under attack

Threat actors are targeting vulnerable Progress Telerik Report Server systems just days after a proof of concept was published detailing a vulnerability exploit chain.

Threat actors are exploiting a critical Progress Telerik Report Server vulnerability that could allow an attacker to execute malicious code on targeted systems.

On April 25, Progress Software-owned Telerik issued an advisory for an insecure deserialization vulnerability tracked as CVE-2024-1800 that affected Report Server, a report management product. Sina Kheirkhah, security researcher at Summoning Team, discovered a Telerik Report Server authentication bypass vulnerability, tracked as CVE-2024-4358, while analyzing the deserialization flaw.

In a blog post on Monday, Kheirkhah warned users that the two flaws could be chained to achieve full remote code execution on vulnerable Telerik Report Server instances.

Attacks are now underway, just two days after Kheirkhah posted a proof of concept for the exploit chain on GitHub. The Shadowserver Foundation, a cybersecurity nonprofit organization, started to observe exploitation attempts beginning on June 5. As of June 6, exploitation primarily affected users in the U.S. and U.K.

"We are observing Progress Telerik Report Server CVE-2024-4358 auth bypass exploitation attempts in our honeypot sensors starting 5th June. We have also started reporting out vulnerable versions seen in our scans (89 seen on 5th June out of 95 exposed)," Shadowserver wrote on X, formerly known as Twitter.

Telerik credited Kheirkhah for discovering CVE-2024-4358 and Trend Micro's Zero Day Initiative (ZDI) for discovering and reporting CVE-2024-1800, which has now received a 9.9 CVSS score. Telerik's advisory for CVE-2024-1800 urged users to upgrade to Report Server 2024 Q1 version 10.0.24.305 or higher. However, Telerik issued a critical alert in May for CVE-2024-4358 instructing users to upgrade to the fixed version of Report Server Q2 version 10.1.24.514 or later. In both cases, Telerik stressed that updating "is the only way to remove this vulnerability."

Exploit chain discovery

Kheirkhah detailed how he discovered the exploit chain in a blog post on Monday. He credited researcher Soroush Dalili, director of SecProject, for assistance in understanding the full scope of the .NET deserialization flaw. Kheirkhah explained that he observed a CVSS score discrepancy between Telerik's and ZDI's advisories for CVE-2024-1800.

Progress mistakenly assigned it a 9.9 CVSS score, while ZDI gave it an 8.8.

"After I noticed the mistake on their scoring, I thought, it would actually be very funny if I can manage to find a way to bypass the authentication and actually make the issue into a Critical CVSS 9.9, so that's what I did!" Kheirkhah wrote in the blog post.

While researching the vulnerabilities, he discovered insecure deserialization can occur because users can create all types of reports using the software. He was also able to create parameters that allowed an attacker to create a user first, then assign that user as a system administrator. Kheirkhah stressed that it would allow a remote unauthenticated attacker to log in as an administrator, granting privileged access.

"I've discovered this issue in 5 minutes after I finished setting up the software, The vulnerability is very simple, the endpoint which is responsible for setting up the server for the first time is accessible unauthenticated even after the admin has finished the setup process," the blog post read.

Kheirkhah added that it's not the first time he's observed this type of "simple" issue. For example, he cited vulnerabilities in ConnectWise's ScreenConnect remote access software that came under attack in February. Security vendor Huntress described exploitation of the ScreenConnect vulnerability as "trivial and embarrassingly easy."

It's critical for users to patch the exploit chain as both Progress and Telerik products were involved in significant attacks in 2023. Last May, the Clop ransomware gang exploited a flaw in Progress' MoveIt Transfer file transfer product that affected a substantial number of downstream customer organizations, including U.S. government agencies.

Last year, CISA issued an advisory on how threat actors exploited a three-year-old .NET deserialization vulnerability, tracked as CVE-2019-18935, in Progress' Telerik UI. Advanced persistent threat actors exploited the vulnerability against a Federal Civilian Executive Branch agency that remained vulnerable.

Progress did not respond to request for comment at press time.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Dig Deeper on Threats and vulnerabilities