On 24 July 2024, Progress published a knowledge base article disclosing a critical vulnerability (CVE-2024-6327) impacting Telerik Report Server, a product by Progress designed for streamlined report management within organisations. This vulnerability can lead to remote code execution (RCE) due to the deserialisation of untrusted data.
Arctic Wolf has not identified a publicly accessible proof of concept (PoC) exploit or active exploitation of this vulnerability. However, most notably:
- In June, an authentication bypass vulnerability (CVE-2024-4358) affecting Telerik Report Server was added to CISA’s Known Exploited Vulnerabilities catalog shortly after its disclosure.
- Arctic Wolf has previously observed other Progress products being targeted by threat actors, such as the infamous zero-day vulnerability (CVE-2023-34362) in Progress’s MOVEit Transfer, which was exploited by the Cl0p ransomware group to target over two thousand organisations globally in 2023.
Given the historical targeting of Progress products and the potential level of access that could be obtained by exploiting vulnerable Telerik Report Servers, threat actors may shift their interest to CVE-2024-6327 in the near future.
Recommendations for CVE-2024-6327
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Progress Software Telerik Report Server | 10.1.24.514 (or earlier) | 10.1.24.709 |
Workaround (Optional)
If unable to immediately upgrade to the latest fixed version of Telerik Report Server, Progress has stated that this vulnerability can be temporarily mitigated by changing the user for the Report Server Application Pool to one with limited permissions.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
