KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2024-4358

PUBLISHED

Registration Authentication Bypass Vulnerability

Exploited in the wild PoC available Remote Low complexity No user interaction
Vendor
Progress Software Corporation
Product
Telerik Report Server
Published
May 29, 2024
EPSS

Description

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

cisa nuclei_scanner metasploit nessus_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2024-06-13 00:00:00 UTC · Source

Proof of concept available

Recorded 2024-08-24 10:09:09 UTC · Source

SSVC decision points

Exploitation
active
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Jun 13, 2024

Scanner integrations

Scanner Reference Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/telerik_report_server_deserialization.rb Apr 28, 2025
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-4358.yaml Apr 25, 2025
Nessus https://www.tenable.com/plugins/nessus/200109 Jun 05, 2024

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

telerik_report_server_deserialization

metasploit · Created Unknown

Metasploit module for CVE-2024-4358

gh-ost00/CVE-2024-4358

github · Created 2024-08-24 10:09:09 UTC · 4 stars

Telerik Report Server deserialization and authentication bypass exploit chain for CVE-2024-4358/CVE-2024-1800

verylazytech/CVE-2024-4358

github · Created 2024-06-09 06:30:06 UTC · 12 stars

Authentication Bypass Vulnerability — CVE-2024–4358 — Telerik Report Server 2024

Sk1dr0wz/CVE-2024-4358_Mass_Exploit

github · Created 2024-06-05 01:05:12 UTC · 24 stars

RevoltSecurities/CVE-2024-4358

github · Created 2024-06-04 11:32:59 UTC · 5 stars

An Vulnerability detection and Exploitation tool for CVE-2024-4358

sinsinology/CVE-2024-4358

github · Created 2024-06-03 08:22:10 UTC · 75 stars

Progress Telerik Report Server pre-authenticated RCE chain (CVE-2024-4358/CVE-2024-1800)

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nessus

  • Added to KEVIntel

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Detected by Metasploit