CVE-2019-18935

CVE-2019-18935 is a critical-severity vulnerability in Telerik Ui For Asp.net Ajax with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-502.

Key facts

Description

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

CVE-2019-18935: Telerik UI for ASP.NET AJAX RadAsyncUpload Deserialization RCE

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2019-18935
Product Progress Telerik UI for ASP.NET AJAX
Affected Through 2019.3.1023
CWE CWE-502: Deserialization of Untrusted Data
CVSS v3 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2 7.5 — AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS 0.99737 (99.95th percentile)
KEV Yes — CISA KEV catalogued 2021-11-03
Patched 2020.1.114

Summary

Progress Telerik UI for ASP.NET AJAX through version 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. Successful exploitation yields remote code execution (RCE) on the target web server, but requires knowledge of the application's encryption keys. This prerequisite is commonly satisfied through the related vulnerabilities CVE-2017-11317 or CVE-2017-11357, or by other key-recovery techniques.

Background

Telerik UI for ASP.NET AJAX is a widely-used commercial control suite for building ASP.NET web applications. The RadAsyncUpload component provides asynchronous file-upload capabilities. In affected versions, the component deserializes attacker-controlled input using JavaScriptSerializer without adequate validation, a classic deserialization weakness in the .NET ecosystem.

Root Cause

CWE-502: Deserialization of Untrusted Data

The RadAsyncUpload handler accepts a serialized object from the client and passes it to JavaScriptSerializer.Deserialize(). Because the serializer type list is not sufficiently restricted, an attacker can craft a payload that instantiates arbitrary .NET types during deserialization. In the presence of known gadget chains (for example, those leveraging TypeConfuseDelegate or ObjectDataProvider), this leads directly to arbitrary code execution in the application pool identity.

The encryption-key prerequisite exists because the payload must be encrypted with the same keys used by the Telerik DialogParameters or RadAsyncUpload encryption routines. When these keys are at their known default values, or have been recovered, the server will successfully decrypt and process the malicious payload.

Impact

  • Confidentiality: High — attacker can read arbitrary files, extract connection strings, and access backend data.
  • Integrity: High — attacker can modify application logic, backdoor assemblies, and alter persisted data.
  • Availability: High — attacker can terminate processes, crash the application pool, or deploy ransomware.

The CVSS v3 vector scores this vulnerability at 9.8 Critical because it is network-exploitable with low complexity, requires no privileges, and needs no user interaction.

Exploitation Walkthrough

Ethics caveat: The information below is provided for defensive purposes only. Do not test against systems you do not own or have explicit, documented permission to assess.

  1. Key recovery or confirmation: Determine whether the Telerik encryption keys are known. This may involve:

    • Confirming the application is also affected by CVE-2017-11317 (hardcoded default keys) or CVE-2017-11357 (weak key derivation).
    • Brute-forcing the Telerik.Web.UI.DialogParametersEncryptionKey and Telerik.AsyncUpload.ConfigurationEncryptionKey values if short or predictable.
  2. Gadget-chain selection: Identify a suitable .NET deserialization gadget chain compatible with the target framework version. Common research frameworks maintain lists of proven gadgets for various .NET versions.

  3. Payload construction: Build a serialized object that triggers the gadget chain. Encrypt the payload with the recovered keys using the same algorithm and key-derivation routine the Telerik control expects.

  4. Delivery: Submit the encrypted payload to the RadAsyncUpload handler via the standard async-upload POST flow. The server decrypts, deserializes, and executes the embedded command.

  5. Verification from a defender's perspective: Monitor for unexpected POST requests to Telerik.Web.UI.WebResource.axd or RadAsyncUploadHandler.ashx containing large, high-entropy encrypted blobs, especially when paired with subsequent out-of-band DNS or HTTP callbacks.

Affected and Patched Versions

Status Version
Affected Telerik UI for ASP.NET AJAX ≤ 2019.3.1023
Patched Telerik UI for ASP.NET AJAX R1 2020 (2020.1.114)

In 2020.1.114, a default configuration change prevents the exploit by disabling dangerous deserialization. In 2019.3.1023 only, administrators can apply a non-default setting to block exploitation, but this mitigation is not available in earlier releases.

Remediation

  1. Upgrade to Telerik UI for ASP.NET AJAX 2020.1.114 or later. This is the definitive fix.

  2. If immediate patching is not possible (2019.3.1023 only):

    • Apply the non-default hardening setting described in the Telerik knowledge-base article to restrict deserialization.
    • Rotate the DialogParametersEncryptionKey and AsyncUpload encryption keys to long, random values that are not derivable from public research.
  3. Compensating controls:

    • Place the upload handler behind an authenticated endpoint if business requirements allow.
    • Restrict egress from the web-tier to impede reverse-shell and exfiltration workflows.
    • Apply ASP.NET request-validation and file-extension whitelisting at the IIS/ASP.NET level as defence-in-depth.

Detection

  • Web-server logs: Look for POST requests to Telerik.Web.UI.WebResource.axd or async-upload endpoints that carry unusually large rauPostData parameters.
  • WAF rules: Implement signatures for known CVE-2019-18935 payload patterns (high-entropy base64 blobs containing serialized ObjectStateFormatter or LosFormatter-style markers).
  • Endpoint detection: Monitor the worker process (w3wp.exe) for anomalous child-process spawning, especially cmd.exe, powershell.exe, or unexpected outbound connections.
  • Threat-intelligence feeds: Correlate external scanning activity against CISA KEV and EPSS high-percentile indicators.

Assessment

With an EPSS score of 0.99737, this vulnerability is among the most reliably exploited flaws in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities catalog since November 2021 confirms active, ongoing exploitation by multiple threat actors. The prevalence of legacy Telerik deployments in government and enterprise environments makes this a persistent attack surface.

Key lessons:

  1. Deserialization of untrusted data remains one of the most dangerous vulnerability classes in modern web applications. Frameworks must use allow-list type resolution, not deny-listing.
  2. Hardcoded or weakly-derived encryption keys amplify the impact of otherwise complex vulnerabilities. Cryptographic secrets should be unique per deployment and rotated on a regular schedule.

References

Frequently asked questions

What is CVE-2019-18935?
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
How severe is CVE-2019-18935?
CVE-2019-18935 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-18935 being actively exploited?
Yes. CVE-2019-18935 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-18935?
CVE-2019-18935 affects Telerik Ui For Asp.net Ajax. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-18935?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-18935 have an EU (EUVD) identifier?
Yes. CVE-2019-18935 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-8608. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-18935 published?
CVE-2019-18935 was published on 2019-12-11 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Telerik Ui For Asp.net Ajax

All CVEs affecting Telerik Ui For Asp.net Ajax →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →