Security News > 2024 > July > Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327)
Progress Software has fixed a critical vulnerability in its Telerik Report Server solution and is urging users to upgrade as soon as possible.
Telerik Report Server is an enterprise solution for storing, creating, managing and viewing reports in web and desktop applications.
CVE-2024-6327 is an insecure deserialization vulnerability that may allow attackers to remotely execute code on the underlying server through CVE-2024-6096, an insecure type resolution vulnerability that affects Telerik Reporting, a tool for building reports for and adding them to web and desktop applications.
Customers have been advised to upgrade to Telerik Reporting 2024 Q2, as it's the only way to remove CVE-2024-6096, and to upgrade to Telerik Report Server 2024 Q2 or later to fix CVE-2024-6327.
If the latter action is not possible, Progress Software notes that users "Can temporarily mitigate this issue by changing the user for the Report Server Application Pool to one with limited permissions".
Just last month, the Shadowserver Foundation spotted exploitation attempts for CVE-2024-4358, a vulnerability that, when concatenated with CVE-2024-1800, allowed attackers to achieve unauthenticated remote code execution on Progress Telerik Report Servers.
News URL
https://www.helpnetsecurity.com/2024/07/26/cve-2024-6327/
Related news
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Critical Langflow RCE flaw exploited to hack AI app servers (source)
- Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw (source)
- RCE flaw in MSP-friendly file sharing platform exploited by attackers (CVE-2025-30406) (source)
- CentreStack RCE exploited as zero-day to breach file sharing servers (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical flaws fixed in Nagios Log Server (source)
- MITRE warns that funding for critical CVE program expires today (source)
- CISA extends funding to ensure 'no lapse in critical CVE services' (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-24 | CVE-2024-6327 | Deserialization of Untrusted Data vulnerability in Progress Telerik Report Server In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability. | 9.8 |
| 2024-07-24 | CVE-2024-6096 | Unsafe Reflection vulnerability in Progress Telerik Reporting In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability. | 9.8 |
| 2024-05-29 | CVE-2024-4358 | Authentication Bypass by Spoofing vulnerability in Telerik Report Server 2024 10.0.24.130/10.0.24.305 In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. | 9.8 |
| 2024-03-20 | CVE-2024-1800 | Deserialization of Untrusted Data vulnerability in Progress Telerik Report Server In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability. | 8.8 |