CVE-2019-18935

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is...

Basic Information

CVE State: PUBLISHED
Reserved Date: November 13, 2019
Published Date: December 11, 2019
Last Updated: February 04, 2025
Vendor: Progress
Product: Telerik UI for ASP.NET AJAX
Description: Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-05 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2023-12-25 06:45:11 UTC) Source
Used in Malware: Yes (added 2021-11-03 00:00:00 UTC) Source

References

https://www.telerik.com/support/whats-new/release-history https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization https://github.com/bao7uo/RAU_crypto https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui https://github.com/noperator/CVE-2019-18935 http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29 http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/telerik_rau_deserialization.rb	2025-04-29 11:01:39 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

telerik_rau_deserialization

Type: metasploit • Created: Unknown

Metasploit module for CVE-2019-18935

dust-life/CVE-2019-18935-memShell

Type: github • Created: 2023-12-25 06:45:11 UTC • Stars: 6

random-robbie/CVE-2019-18935

Type: github • Created: 2020-09-30 10:00:16 UTC • Stars: 5

CVE-2019-18935

murataydemir/CVE-2019-18935

Type: github • Created: 2020-08-19 17:11:02 UTC • Stars: 15

[CVE-2019-18935] Telerik UI for ASP.NET AJAX (RadAsyncUpload Handler) .NET JSON Deserialization

ThanHuuTuan/Telerik_CVE-2019-18935

Type: github • Created: 2020-05-25 08:37:51 UTC • Stars: 12

TelerikUI Vulnerability Scanner (CVE-2019-18935)

noperator/CVE-2019-18935

Type: github • Created: 2019-12-12 07:58:11 UTC • Stars: 351

RCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX.

Timeline

CVE ID Reserved

November 13, 2019
CVE Published to Public

December 11, 2019
Exploit Used in Malware

November 03, 2021
Added to KEVIntel

November 03, 2021
Proof of Concept Exploit Available

December 25, 2023
Detected by Metasploit

April 29, 2025