On 31 May 2024, a Proof of Concept (PoC) exploit and technical analysis were published for a pre-authentication Remote Code Execution (RCE) exploit chain impacting Telerik Report Server, a product by Progress designed for streamlined report management within organisations. The technical analysis demonstrated how threat actors can utilise the recently disclosed authentication bypass vulnerability (CVE-2024-4358) to circumvent low privilege requirements and achieve RCE (CVE-2024-1800) on vulnerable Telerik Report Servers.
While these vulnerabilities are not currently being actively exploited, Arctic Wolf has previously observed other Progress products being targeted by threat actors in the past. In 2023, the Cl0p ransomware group exploited a zero-day vulnerability (CVE-2023-34362) in Progress’s MOVEit Transfer to target over two thousand organisations globally. Threat actors are likely to target these vulnerabilities in the near term due to the publicly accessible PoC exploit and ease of exploitation.
Recommendations for CVE-2024-4358 & CVE-2024-1800
Arctic Wolf strongly recommends updating to the latest version of Telerik Report Server. Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
Product | Affected Version | Fixed Version |
Progress Telerik Report Server | 2024 Q1 (10.0.24.305) and older | 2024 Q2 (10.1.24.514) |
Note: The insecure deserialisation vulnerability (CVE-2024-1800) impacts Report Server versions prior to 2024 Q1 (10.0.24.130) and is remediated in Report Server 2024 Q1 (10.0.24.305). However, to completely resolve the exploit chain update to the latest version of Telerik Report Server.