CVE-2017-9248
CVE-2017-9248 is a critical-severity vulnerability in Progress Sitefinity with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-522.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 75% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2017-18184
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-522
- Affected product: Progress Sitefinity
- Published:
- Last modified:
Description
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
Frequently asked questions
- What is CVE-2017-9248?
- Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
- How severe is CVE-2017-9248?
- CVE-2017-9248 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-9248 being actively exploited?
- Yes. CVE-2017-9248 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-9248?
- CVE-2017-9248 primarily affects Progress Sitefinity. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-9248?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-9248 have an EU (EUVD) identifier?
- Yes. CVE-2017-9248 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-18184. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2017-9248 published?
- CVE-2017-9248 was published on 2017-07-03 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/99965
- http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity
- http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness
- https://www.exploit-db.com/exploits/43873/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9248
Affected products (2)
- cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*
- cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*
More vulnerabilities in Progress Sitefinity
- CVE-2026-7312 — Critical (CVSS 10.0): CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to…
- CVE-2026-7198 — Critical (CVSS 9.8): CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote…
- CVE-2023-29375 — Critical (CVSS 9.8): An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826,…
- CVE-2019-17392 — Critical (CVSS 9.8): Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header…
- CVE-2017-15883 — Critical (CVSS 9.8): Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and…
- CVE-2026-7201 — High (CVSS 8.8): CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before…
All CVEs affecting Progress Sitefinity →
Other CWE-522 (Insufficiently Protected Credentials) vulnerabilities
- CVE-2026-7312 — Critical (CVSS 10.0): CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to…
- CVE-2026-29128 — Critical (CVSS 10.0): IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g.,…
- CVE-2025-54863 — Critical (CVSS 10.0): Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration…
- CVE-2024-12799 — Critical (CVSS 10.0): Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64…
- CVE-2024-51545 — Critical (CVSS 10.0): Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list…
- CVE-2023-1778 — Critical (CVSS 10.0): This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to…
Browse all CWE-522 (Insufficiently Protected Credentials) vulnerabilities →