CVE-2019-18935

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2019-18935
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2019-12-11 13:15:00 UTC
Updated2023-11-07 03:07:00 UTC
DescriptionProgress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Risk And Classification

EPSS: 0.935830000 probability, percentile 0.998330000 (date 2026-04-01)

CISA KEV: Listed on 2021-11-03; due 2022-05-03; ransomware use Known

Problem Types: CWE-502

CISA Known Exploited Vulnerability

VendorProgress
ProductTelerik UI for ASP.NET AJAX
NameProgress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability
Required ActionApply updates per vendor instructions.
Noteshttps://nvd.nist.gov/vuln/detail/CVE-2019-18935

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Telerik Ui For Asp.net Ajax All All All All
Application Telerik Ui For Asp.net Ajax All All All All

References

ReferenceSourceLinkTags
Telerik UI for ASP.NET AJAX - UI for ASP.NET AJAX R1 2020 (version 2020.1.114) MISC www.telerik.com
Telerik UI for ASP.NET AJAX - UI for ASP.NET AJAX R1 2020 (version 2020.1.114) www.telerik.com
Telerik UI Remote Code Execution ≈ Packet Storm MISC packetstormsecurity.com Third Party Advisory
GitHub - noperator/CVE-2019-18935: RCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX. MISC github.com Third Party Advisory
Release History for Telerik Products MISC www.telerik.com Release Notes, Vendor Advisory
CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI MISC know.bishopfox.com Exploit, Third Party Advisory
GitHub - bao7uo/RAU_crypto: Hard-coded encryption key remote file upload exploit for CVE-2017-11317, CVE-2017-11357 (Telerik UI for ASP.NET AJAX) MISC github.com Exploit, Third Party Advisory
Allows JavaScriptSerializer Deserialization - Telerik UI for ASP.NET AJAX - KB MISC www.telerik.com Patch, Vendor Advisory
Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization ≈ Packet Storm MISC packetstormsecurity.com
US federal agency hacked using old Telerik bug to steal data MISC www.bleepingcomputer.com
code white | Blog: Telerik Revisited MISC codewhitesec.blogspot.com Not Applicable
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
CISA Known Exploited Vulnerabilities catalog CISA www.cisa.gov kev
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report