CVE-2019-18935
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
Confirmed Active Exploitation
This vulnerability is listed in the CISA KEV Catalog. Federal agencies are mandated to patch immediately. Immediate remediation is required.
Public Exploit Available
A Proof-of-Concept (PoC) or exploit code for this vulnerability is publicly available. This significantly increases the risk of exploitation.
Exploitation Probability (EPSS)
Critical PriorityThe Exploit Prediction Scoring System (EPSS) uses machine learning to estimate the probability that a vulnerability will be exploited in the wild within the next 30 days.
7-Day Exploitation Trend
Vulnerability Timeline
2 eventsThreat Actor Attribution
PREMIUM INTELRemediation & Mitigation
SOLUTIONOfficial patches and mitigation steps are available for this vulnerability.
apt-get update && apt-get upgrade -y specific-package
# Verify installation
dpkg -l | grep package-name
Affected Products
References
PoC ExploitAm I Vulnerable?
Check your domain or package.json for CVE-2019-18935 exposure.
Vulnerability Details
Need Manual Validation?
Automated scanners flag false positives. Get a manual pentest validation for this CVE.