CVE-2019-18935
CVE-2019-18935 is a critical-severity vulnerability in Telerik Ui For Asp.net Ajax with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-502.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2019-8608
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-502
- Affected product: Telerik Ui For Asp.net Ajax
- Published:
- Last modified:
Description
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
CVE-2019-18935: Telerik UI for ASP.NET AJAX RadAsyncUpload Deserialization RCE
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2019-18935 |
| Product | Progress Telerik UI for ASP.NET AJAX |
| Affected | Through 2019.3.1023 |
| CWE | CWE-502: Deserialization of Untrusted Data |
| CVSS v3 | 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS v2 | 7.5 — AV:N/AC:L/Au:N/C:P/I:P/A:P |
| EPSS | 0.99737 (99.95th percentile) |
| KEV | Yes — CISA KEV catalogued 2021-11-03 |
| Patched | 2020.1.114 |
Summary
Progress Telerik UI for ASP.NET AJAX through version 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. Successful exploitation yields remote code execution (RCE) on the target web server, but requires knowledge of the application's encryption keys. This prerequisite is commonly satisfied through the related vulnerabilities CVE-2017-11317 or CVE-2017-11357, or by other key-recovery techniques.
Background
Telerik UI for ASP.NET AJAX is a widely-used commercial control suite for building ASP.NET web applications. The RadAsyncUpload component provides asynchronous file-upload capabilities. In affected versions, the component deserializes attacker-controlled input using JavaScriptSerializer without adequate validation, a classic deserialization weakness in the .NET ecosystem.
Root Cause
CWE-502: Deserialization of Untrusted Data
The RadAsyncUpload handler accepts a serialized object from the client and passes it to JavaScriptSerializer.Deserialize(). Because the serializer type list is not sufficiently restricted, an attacker can craft a payload that instantiates arbitrary .NET types during deserialization. In the presence of known gadget chains (for example, those leveraging TypeConfuseDelegate or ObjectDataProvider), this leads directly to arbitrary code execution in the application pool identity.
The encryption-key prerequisite exists because the payload must be encrypted with the same keys used by the Telerik DialogParameters or RadAsyncUpload encryption routines. When these keys are at their known default values, or have been recovered, the server will successfully decrypt and process the malicious payload.
Impact
- Confidentiality: High — attacker can read arbitrary files, extract connection strings, and access backend data.
- Integrity: High — attacker can modify application logic, backdoor assemblies, and alter persisted data.
- Availability: High — attacker can terminate processes, crash the application pool, or deploy ransomware.
The CVSS v3 vector scores this vulnerability at 9.8 Critical because it is network-exploitable with low complexity, requires no privileges, and needs no user interaction.
Exploitation Walkthrough
Ethics caveat: The information below is provided for defensive purposes only. Do not test against systems you do not own or have explicit, documented permission to assess.
-
Key recovery or confirmation: Determine whether the Telerik encryption keys are known. This may involve:
- Confirming the application is also affected by CVE-2017-11317 (hardcoded default keys) or CVE-2017-11357 (weak key derivation).
- Brute-forcing the
Telerik.Web.UI.DialogParametersEncryptionKeyandTelerik.AsyncUpload.ConfigurationEncryptionKeyvalues if short or predictable.
-
Gadget-chain selection: Identify a suitable .NET deserialization gadget chain compatible with the target framework version. Common research frameworks maintain lists of proven gadgets for various .NET versions.
-
Payload construction: Build a serialized object that triggers the gadget chain. Encrypt the payload with the recovered keys using the same algorithm and key-derivation routine the Telerik control expects.
-
Delivery: Submit the encrypted payload to the
RadAsyncUploadhandler via the standard async-upload POST flow. The server decrypts, deserializes, and executes the embedded command. -
Verification from a defender's perspective: Monitor for unexpected
POSTrequests toTelerik.Web.UI.WebResource.axdorRadAsyncUploadHandler.ashxcontaining large, high-entropy encrypted blobs, especially when paired with subsequent out-of-band DNS or HTTP callbacks.
Affected and Patched Versions
| Status | Version |
|---|---|
| Affected | Telerik UI for ASP.NET AJAX ≤ 2019.3.1023 |
| Patched | Telerik UI for ASP.NET AJAX R1 2020 (2020.1.114) |
In 2020.1.114, a default configuration change prevents the exploit by disabling dangerous deserialization. In 2019.3.1023 only, administrators can apply a non-default setting to block exploitation, but this mitigation is not available in earlier releases.
Remediation
-
Upgrade to Telerik UI for ASP.NET AJAX 2020.1.114 or later. This is the definitive fix.
-
If immediate patching is not possible (2019.3.1023 only):
- Apply the non-default hardening setting described in the Telerik knowledge-base article to restrict deserialization.
- Rotate the
DialogParametersEncryptionKeyandAsyncUploadencryption keys to long, random values that are not derivable from public research.
-
Compensating controls:
- Place the upload handler behind an authenticated endpoint if business requirements allow.
- Restrict egress from the web-tier to impede reverse-shell and exfiltration workflows.
- Apply ASP.NET request-validation and file-extension whitelisting at the IIS/ASP.NET level as defence-in-depth.
Detection
- Web-server logs: Look for
POSTrequests toTelerik.Web.UI.WebResource.axdor async-upload endpoints that carry unusually largerauPostDataparameters. - WAF rules: Implement signatures for known CVE-2019-18935 payload patterns (high-entropy base64 blobs containing serialized
ObjectStateFormatterorLosFormatter-style markers). - Endpoint detection: Monitor the worker process (
w3wp.exe) for anomalous child-process spawning, especiallycmd.exe,powershell.exe, or unexpected outbound connections. - Threat-intelligence feeds: Correlate external scanning activity against CISA KEV and EPSS high-percentile indicators.
Assessment
With an EPSS score of 0.99737, this vulnerability is among the most reliably exploited flaws in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities catalog since November 2021 confirms active, ongoing exploitation by multiple threat actors. The prevalence of legacy Telerik deployments in government and enterprise environments makes this a persistent attack surface.
Key lessons:
- Deserialization of untrusted data remains one of the most dangerous vulnerability classes in modern web applications. Frameworks must use allow-list type resolution, not deny-listing.
- Hardcoded or weakly-derived encryption keys amplify the impact of otherwise complex vulnerabilities. Cryptographic secrets should be unique per deployment and rotated on a regular schedule.
References
- http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html
- https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html
- https://github.com/bao7uo/RAU_crypto
- https://github.com/noperator/CVE-2019-18935
- https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui
- https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/
- https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization
- https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29
- https://www.telerik.com/support/whats-new/release-history
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-18935
Frequently asked questions
- What is CVE-2019-18935?
- Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
- How severe is CVE-2019-18935?
- CVE-2019-18935 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-18935 being actively exploited?
- Yes. CVE-2019-18935 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-18935?
- CVE-2019-18935 affects Telerik Ui For Asp.net Ajax. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-18935?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-18935 have an EU (EUVD) identifier?
- Yes. CVE-2019-18935 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-8608. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2019-18935 published?
- CVE-2019-18935 was published on 2019-12-11 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html
- https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html
- https://github.com/bao7uo/RAU_crypto
- https://github.com/noperator/CVE-2019-18935
- https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui
- https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/
- https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization
- https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29
- https://www.telerik.com/support/whats-new/release-history
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-18935
Affected products (1)
- cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*
More vulnerabilities in Telerik Ui For Asp.net Ajax
- CVE-2017-11317 — Critical (CVSS 9.8): Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak…
- CVE-2017-9248 — Critical (CVSS 9.8): Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does…
All CVEs affecting Telerik Ui For Asp.net Ajax →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →