Security News > 2024 > July > Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327)
Progress Software has fixed a critical vulnerability in its Telerik Report Server solution and is urging users to upgrade as soon as possible.
Telerik Report Server is an enterprise solution for storing, creating, managing and viewing reports in web and desktop applications.
CVE-2024-6327 is an insecure deserialization vulnerability that may allow attackers to remotely execute code on the underlying server through CVE-2024-6096, an insecure type resolution vulnerability that affects Telerik Reporting, a tool for building reports for and adding them to web and desktop applications.
Customers have been advised to upgrade to Telerik Reporting 2024 Q2, as it's the only way to remove CVE-2024-6096, and to upgrade to Telerik Report Server 2024 Q2 or later to fix CVE-2024-6327.
If the latter action is not possible, Progress Software notes that users "Can temporarily mitigate this issue by changing the user for the Report Server Application Pool to one with limited permissions".
Just last month, the Shadowserver Foundation spotted exploitation attempts for CVE-2024-4358, a vulnerability that, when concatenated with CVE-2024-1800, allowed attackers to achieve unauthenticated remote code execution on Progress Telerik Report Servers.
News URL
https://www.helpnetsecurity.com/2024/07/26/cve-2024-6327/
Related news
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Palo Alto Networks Expedition bug exploited (CVE-2024-5910) (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-24 | CVE-2024-6327 | Deserialization of Untrusted Data vulnerability in Progress Telerik Report Server In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability. | 9.8 |
| 2024-07-24 | CVE-2024-6096 | Unsafe Reflection vulnerability in Progress Telerik Reporting In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability. | 9.8 |
| 2024-05-29 | CVE-2024-4358 | Authentication Bypass by Spoofing vulnerability in Telerik Report Server 2024 10.0.24.130/10.0.24.305 In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. | 9.8 |
| 2024-03-20 | CVE-2024-1800 | In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability. | 0.0 |