📄 Description (English)
Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability — Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process.
🤖 AI Executive Summary
CVE-2019-18935 is a critical deserialization vulnerability in Progress Telerik UI for ASP.NET AJAX that allows remote attackers to execute arbitrary code on the server through the RadAsyncUpload component. The vulnerability requires no authentication in many configurations and has been actively exploited in the wild by multiple threat actors including nation-state groups. With a CVSS score of 9.0 and confirmed public exploits available, this represents an immediate and severe risk to any organization running unpatched Telerik UI components on their web infrastructure. This vulnerability has been included in CISA's Known Exploited Vulnerabilities catalog, underscoring its active exploitation status.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 15, 2026 04:16
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations face significant exposure given the widespread adoption of Microsoft ASP.NET-based web portals across government e-services (Yesser/SDAIA platforms), banking portals (SAMA-regulated institutions), and healthcare patient portals (MOH, SEHA). Energy sector digital transformation initiatives at Saudi Aramco and SABIC may expose internal web applications built on Telerik components. Telecom providers (STC, Mobily, Zain) running customer-facing ASP.NET portals are also at risk. Government entities using Telerik-based e-government services are particularly vulnerable as successful exploitation grants SYSTEM-level code execution, potentially enabling lateral movement into critical national infrastructure networks. The NCA has flagged similar deserialization vulnerabilities as priority concerns for Saudi critical infrastructure operators.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Energy
Telecom
Education
Retail
Transportation
⚖️ Saudi Risk Score (AI)
9.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Identify all instances of Telerik UI for ASP.NET AJAX across your environment using asset inventory and web application scanning.
2. Check the Telerik version by inspecting DLL file versions (Telerik.Web.UI.dll) — versions prior to 2020.1.114 are vulnerable.
3. Isolate or take offline any internet-facing applications using vulnerable Telerik versions until patching is complete.
4. Block access to the RadAsyncUpload handler (Telerik.Web.UI.WebResource.axd) at the WAF/perimeter firewall level as an emergency compensating control.
PATCHING GUIDANCE:
5. Upgrade to Telerik UI for ASP.NET AJAX version 2020.1.114 or later immediately.
6. If upgrading is not immediately possible, apply the cryptographic key hardening workaround by setting a strong, unique MachineKey in web.config and configuring the AllowedCustomMetaDataTypes setting as documented in Progress KB article.
7. Disable the RadAsyncUpload functionality entirely if file upload is not required by the application.
COMPENSATING CONTROLS:
8. Deploy WAF rules specifically targeting RadAsyncUpload exploitation patterns (OWASP ModSecurity CRS rules available).
9. Implement application allowlisting on web servers to prevent unauthorized process spawning from w3wp.exe.
10. Enable enhanced logging for w3wp.exe process creation events (Sysmon EventID 1) and network connections.
DETECTION RULES:
11. Monitor for suspicious child processes spawned by w3wp.exe (cmd.exe, powershell.exe, certutil.exe).
12. Alert on POST requests to /Telerik.Web.UI.WebResource.axd?type=rau containing large or encoded payloads.
13. Search SIEM for Indicators of Compromise: unusual DLL loads in IIS worker process, outbound connections from w3wp.exe.
14. Deploy Sigma rule: detect w3wp.exe spawning cmd.exe or powershell.exe as child processes.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تحديد جميع نسخ Telerik UI for ASP.NET AJAX في بيئتك باستخدام جرد الأصول وفحص تطبيقات الويب.
2. التحقق من إصدار Telerik عبر فحص إصدارات ملف DLL (Telerik.Web.UI.dll) — الإصدارات السابقة لـ 2020.1.114 معرضة للخطر.
3. عزل أو إيقاف أي تطبيقات مواجهة للإنترنت تستخدم إصدارات Telerik المعرضة للخطر حتى اكتمال التصحيح.
4. حظر الوصول إلى معالج RadAsyncUpload على مستوى WAF/جدار الحماية الطرفي كإجراء تعويضي طارئ.
إرشادات التصحيح:
5. الترقية فوراً إلى Telerik UI for ASP.NET AJAX الإصدار 2020.1.114 أو أحدث.
6. إذا تعذّر الترقية فوراً، تطبيق حل تقوية المفاتيح التشفيرية عبر تعيين MachineKey قوي وفريد في web.config وتكوين إعداد AllowedCustomMetaDataTypes.
7. تعطيل وظيفة RadAsyncUpload كلياً إذا لم يكن رفع الملفات مطلوباً من التطبيق.
ضوابط التعويض:
8. نشر قواعد WAF التي تستهدف أنماط استغلال RadAsyncUpload.
9. تطبيق قوائم السماح للتطبيقات على خوادم الويب لمنع إنشاء العمليات غير المصرح بها من w3wp.exe.
10. تفعيل التسجيل المحسّن لأحداث إنشاء عمليات w3wp.exe واتصالات الشبكة.
قواعد الكشف:
11. مراقبة العمليات الفرعية المشبوهة التي تنشئها w3wp.exe مثل cmd.exe وpowershell.exe وcertutil.exe.
12. التنبيه على طلبات POST إلى /Telerik.Web.UI.WebResource.axd?type=rau التي تحتوي على حمولات كبيرة أو مشفرة.
13. البحث في SIEM عن مؤشرات الاختراق: تحميلات DLL غير عادية في عملية IIS، اتصالات صادرة من w3wp.exe.
14. نشر قاعدة Sigma: اكتشاف w3wp.exe التي تنشئ cmd.exe أو powershell.exe كعمليات فرعية.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Patch Management — Critical vulnerability patching within defined SLA
ECC-2-3-1: Web Application Security — Secure configuration of web-facing components
ECC-2-5-1: Vulnerability Management — Identification and remediation of critical vulnerabilities
ECC-3-3-3: Malicious Code Protection — Prevention of code execution via web components
ECC-2-6-1: Logging and Monitoring — Detection of exploitation attempts
🔵 SAMA CSF
3.3.6 Vulnerability Management — Critical patch deployment timelines
3.3.7 Penetration Testing — Validation of web application security posture
3.4.2 Secure Configuration Management — Hardening of web application frameworks
3.3.5 Threat Intelligence — Monitoring for active exploitation of known CVEs
3.2.4 Access Control — Restricting unauthorized code execution on web servers
🟡 ISO 27001:2022
A.8.8 Management of technical vulnerabilities — Timely patching of critical components
A.8.19 Installation of software on operational systems — Control of web framework versions
A.8.25 Secure development life cycle — Secure coding and component management
A.8.16 Monitoring activities — Detection of exploitation attempts via SIEM
A.5.30 ICT readiness for business continuity — Impact of web server compromise
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components protected from known vulnerabilities by installing applicable security patches
Requirement 6.4.1 — Web-facing applications protected against known attacks
Requirement 6.4.2 — Automated technical solution deployed to detect and prevent web-based attacks
Requirement 11.3.1 — Internal vulnerability scans performed regularly
Requirement 10.7 — Failures of critical security controls detected and reported
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Progress:Telerik UI for ASP.NET AJAX