{"api_version":"1","generated_at":"2026-04-23T09:52:12+00:00","cve":"CVE-2019-18935","urls":{"html":"https://cve.report/CVE-2019-18935","api":"https://cve.report/api/cve/CVE-2019-18935.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-18935","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-18935"},"summary":{"title":"CVE-2019-18935","description":"Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-12-11 13:15:00","updated_at":"2023-11-07 03:07:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-(version-2020-1-114)","name":"https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-(version-2020-1-114)","refsource":"MISC","tags":[],"title":"Telerik UI for ASP.NET AJAX - UI for ASP.NET AJAX R1 2020 (version 2020.1.114)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29","name":"https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29","refsource":"","tags":[],"title":"Telerik UI for ASP.NET AJAX - UI for ASP.NET AJAX R1 2020 (version 2020.1.114)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"Telerik UI Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://github.com/noperator/CVE-2019-18935","name":"https://github.com/noperator/CVE-2019-18935","refsource":"MISC","tags":["Third Party Advisory"],"title":"GitHub - noperator/CVE-2019-18935: RCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.telerik.com/support/whats-new/release-history","name":"https://www.telerik.com/support/whats-new/release-history","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Release History for Telerik Products","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui","name":"https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/bao7uo/RAU_crypto","name":"https://github.com/bao7uo/RAU_crypto","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"GitHub - bao7uo/RAU_crypto: Hard-coded encryption key remote file upload exploit for CVE-2017-11317, CVE-2017-11357 (Telerik UI for ASP.NET AJAX)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization","name":"https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization","refsource":"MISC","tags":["Patch","Vendor Advisory"],"title":"Allows JavaScriptSerializer Deserialization - Telerik UI for ASP.NET AJAX - KB","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html","name":"http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html","refsource":"MISC","tags":[],"title":"Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/","name":"https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/","refsource":"MISC","tags":[],"title":"US federal agency hacked using old Telerik bug to steal data","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html","name":"https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html","refsource":"MISC","tags":["Not Applicable"],"title":"code white | Blog: Telerik Revisited","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-18935","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-18935","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"18935","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"telerik","cpe5":"ui_for_asp.net_ajax","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18935","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"telerik","cpe5":"ui_for_asp.net_ajax","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2019","cve_id":"18935","cve":"CVE-2019-18935","vendorProject":"Progress","product":"Telerik UI for ASP.NET AJAX","vulnerabilityName":"Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability","dateAdded":"2021-11-03","shortDescription":"Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-05-03","knownRansomwareCampaignUse":"Known","notes":"https://nvd.nist.gov/vuln/detail/CVE-2019-18935","cwes":"CWE-502","catalogVersion":"2026.04.22","updated_at":"2026-04-22 20:03:11"},"epss":{"cve_year":"2019","cve_id":"18935","cve":"CVE-2019-18935","epss":"0.935830000","percentile":"0.998350000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:16"},"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-18935","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.telerik.com/support/whats-new/release-history","refsource":"MISC","name":"https://www.telerik.com/support/whats-new/release-history"},{"url":"https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html","refsource":"MISC","name":"https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html"},{"refsource":"MISC","name":"https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization","url":"https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization"},{"refsource":"MISC","name":"https://github.com/bao7uo/RAU_crypto","url":"https://github.com/bao7uo/RAU_crypto"},{"refsource":"MISC","name":"https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui","url":"https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui"},{"refsource":"MISC","name":"https://github.com/noperator/CVE-2019-18935","url":"https://github.com/noperator/CVE-2019-18935"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html","url":"http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html"},{"refsource":"MISC","name":"https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-(version-2020-1-114)","url":"https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-(version-2020-1-114)"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html","url":"http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html"},{"refsource":"MISC","name":"https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/","url":"https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/"}]}},"nvd":{"publishedDate":"2019-12-11 13:15:00","lastModifiedDate":"2023-11-07 03:07:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*","versionStartIncluding":"2011.1.315","versionEndExcluding":"2019.3.1023","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"18935","Ordinal":"160501","Title":"CVE-2019-18935","CVE":"CVE-2019-18935","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"18935","Ordinal":"1","NoteData":"Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)","Type":"Description","Title":null},{"CveYear":"2019","CveId":"18935","Ordinal":"2","NoteData":"2019-12-11","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"18935","Ordinal":"3","NoteData":"2020-10-20","Type":"Other","Title":"Modified"}]}}}