Security News > 2023 > March > Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Multi-State Information Sharing and Analysis Center.
"Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch agency's Microsoft Internet Information Services web server," the agencies said.
Tracked as CVE-2019-18935, the issue related to a.NET deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX that, if left unpatched, could lead to remote code execution.
CVE-2019-18935, in conjunction with CVE-2017-11317, has also been weaponized by a threat actor tracked as Praying Mantis to infiltrate the networks of public and private organizations in the U.S. Last month, CISA also added CVE-2017-11357 - another remote code execution bug affecting Telerik UI - to the Known Exploited Vulnerabilities catalog, citing evidence of active exploitation.
Threat actors are said to have leveraged the flaw to upload and execute malicious dynamic-link library files masquerading as PNG images via the w3wp.
The web shell is equipped to "Enumerate drives; to send, receive, and delete files; and to execute incoming commands" and "Contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory."
News URL
https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html
Related news
- Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan (source)
- BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability (source)
- Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images (source)
- Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp (source)
- ⚡ Weekly Recap: VPN Exploits, Oracle's Silent Breach, ClickFix Surge and More (source)
- Hackers lurked in Treasury OCC’s systems since June 2023 breach (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- Hackers exploit WordPress plugin auth bypass hours after disclosure (source)
- Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices (source)
- ⚡ Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-12-11 | CVE-2019-18935 | Deserialization of Untrusted Data vulnerability in Telerik UI for Asp.Net Ajax Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. | 9.8 |
| 2017-08-23 | CVE-2017-11317 | Inadequate Encryption Strength vulnerability in Telerik UI for Asp.Net Ajax Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. | 9.8 |
| 2017-08-23 | CVE-2017-11357 | Unrestricted Upload of File with Dangerous Type vulnerability in Telerik UI for Asp.Net Ajax Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. | 9.8 |