CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server

On May 31, security researcher Sina Kheirkhah of the Summoning Team posted on X (formerly known as Twitter) the discovery of an exploit chain involving two vulnerabilities in Progress Telerik Report Server, a report management solution.

On June 3, Kheirkhah published a blog post detailing how he and security researcher Soroush Dalili were able to chain together the two vulnerabilities to achieve full remote code execution (RCE). Kheirkhah notes his interest in this target arose from an incorrectly scored deserialization vulnerability (CVE-2024-1800) from the vendor. While the vendor scored this as a CVSS 9.9, indicating that no authentication is needed, the advisory from Trend Micro’s Zero Day Initiative (ZDI) suggests that a low privileged user is required. After Kheirkhah was able to identify an authentication bypass issue (CVE-2024-4358), he worked with Dalili to “complete  the deserialization chain” to combine both flaws to achieve RCE.

With a public exploit script and historical exploitation of flaws in Telerik and other Progress products, we may see exploit-related activity associated with this exploit chain in the near future. We strongly advise patching these flaws as soon as possible.

For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.