Progress Software has issued an advisory to call attention to a critical-severity vulnerability in its Telerik Report Server product and warned that the issue could be exploited for remote code execution (RCE).
The issue, tracked as CVE-2024-6327 (CVSS score of 9.9/10), is described as an insecure deserialization flaw affecting Telerik instances prior to 2024 Q2 (10.1.24.709).
“In Progress Telerik Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through CVE-2024-6096,” the company said in an advisory.
Remote attackers could exploit the deserialization of untrusted data to inject malicious objects and execute arbitrary code on the underlying server. Authentication is not required for the successful exploitation of the vulnerability.
Progress has addressed the issue in Telerik Report Server version 2024 Q2 (10.1.24.709) and urges users to update their deployments as soon as possible.
“Updating to Report Server 2024 Q2 (10.1.24.709) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version,” the company added.
As a temporary mitigation, administrators could change the user for the Report Server Application Pool to one that has limited permissions. Details on how to change the IIS user for the Report Server can be found in this knowledge base article.
Telerik Report Server users are advised to update their instances as soon as possible. Threat actors are known to have exploited Telerik vulnerabilities as well, including in attacks targeting a US government agency.
Last month, Progress patched another critical flaw in the server, and the US cybersecurity agency CISA warned of its exploitation less than ten days later.
An end-to-end report management solution, Telerik Report Server helps businesses convert raw data into actionable insights that can be distributed within the organization.
Related: Nvidia Patches High-Severity Vulnerabilities in AI, Networking Products
Related: Docker Patches Critical AuthZ Plugin Bypass Vulnerability Dating Back to 2018
Related: SolarWinds Patches Critical Vulnerabilities in Access Rights Manager
