Security Experts:

Connect with us

Hi, what are you looking for?



Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency

Cyberspies and cybercriminals exploited a Telerik vulnerability tracked as CVE-2019-18935 on a government agency’s IIS server.

Advanced persistent threat (APT) actors and financially motivated cybercriminals have been spotted exploiting an old Telerik vulnerability as part of an attack that impacted a US government agency, according to a joint alert released on Wednesday by CISA, the FBI, and MS-ISAC.

An investigation revealed that a Microsoft Internet Information Services (IIS) web server belonging to a federal civilian executive branch (FCEB) agency hosted a vulnerable instance of the Telerik UI for ASP.NET AJAX application development library.

Progress Software’s Telerik application development solutions are used by major companies around the world, making vulnerabilities in these products highly valuable to threat actors.

According to CISA, an investigation conducted between November 2022 and January 2023 showed that threat actors exploited the Telerik vulnerability tracked as CVE-2019-18935 for remote code execution. 

The impacted agency had been using a vulnerability scanner that should have detected the presence of a component vulnerable to CVE-2019-18935, but it failed to do so due to the software being installed in a path not checked by the scanner. 

It’s believed that CVE-2019-18935 was chained with one of two even older Telerik vulnerabilities tracked as CVE-2017-11357 and CVE-2017-11317. Exploitation of CVE-2017-11357 or CVE-2017-11317 can be used to obtain encryption keys that are needed to exploit CVE-2019-18935.

CISA has not named the APT actor whose presence was detected on the government agency’s IIS server, but it did reveal that exploitation by a cybercrime gang known as XE Group was also observed on the same machine. In both cases, the flaw was leveraged to deliver DLL files that allowed the attackers to perform various activities. 

In the case of the APT, the group apparently exploited the security hole starting in August 2022. The malware they delivered was capable of collecting system information, writing files, and helping the attackers cover their tracks. 

As for XE Group, the earliest activity on the server was traced to August 2021. The hackers delivered DLL files that enabled them to collect system information and deploy additional components on the compromised system.

XE Group is a cybercrime gang that is believed to be operating out of Vietnam. The group has been around since at least 2013 and it has been known to target websites hosted on IIS servers in payment card skimming attacks. 

The hackers have been known to exploit the Telerik UI vulnerability tracked as CVE-2017-9248.

CVE-2019-18935 has been in CISA’s known exploited vulnerabilities catalog since November 2021, when the catalog was launched. One of the 2017 CVEs was added to the catalog in April 2022 and the other in January 2023. 

In 2020, the NSA listed CVE-2019-18935 as one of the most commonly exploited vulnerabilities by Chinese state-sponsored hackers.

In April 2022, cybersecurity agencies in the US, Canada, UK, Australia and New Zealand included CVE-2019-18935 in a list of commonly exploited security holes. Ransomware groups have also been known to target the flaw in their operations. 

The government alert published on Wednesday includes technical details, indicators of compromise (IoCs) and recommendations on how companies can prevent hackers from exploiting these vulnerabilities. 

Related: Dozens of Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.