CVE-2017-11317

CRITICAL KEV

Telerik UI for ASP.NET AJAX < 2017.1.118 - Remote Code Execution via Weak RadAsyncUpload Encryption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-11317 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 11, 2022. EIP tracks 6 public exploits from researchers including Paul Taylor, bao7uo, 0xr2r, including a Metasploit module exploits/windows/http/telerik_rau_deserialization.

AI-analyzed exploit summary This exploit targets Telerik UI for ASP.NET AJAX RadAsyncUpload, leveraging hardcoded encryption keys and insecure direct object references to achieve arbitrary file upload. It encrypts payloads using AES-CBC and includes HMAC validation for newer versions.

Description

Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

Exploits (6)

exploitdb WORKING POC
by Paul Taylor · pythonwebappsaspx
https://www.exploit-db.com/exploits/43874

This exploit targets Telerik UI for ASP.NET AJAX RadAsyncUpload, leveraging hardcoded encryption keys and insecure direct object references to achieve arbitrary file upload. It encrypts payloads using AES-CBC and includes HMAC validation for newer versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Telerik UI for ASP.NET AJAX (versions 2012.3.1308 through 2017.1.118)
No auth needed
Prerequisites: Target must be running vulnerable Telerik UI version · Network access to the target web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 182 stars
by bao7uo · remote
https://github.com/bao7uo/RAU_crypto

This repository contains a functional exploit for CVE-2019-18935, targeting Telerik Web UI for ASP.NET AJAX. The exploit leverages hardcoded encryption keys and insecure direct object references to achieve arbitrary file upload and .NET deserialization attacks.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Telerik Web UI for ASP.NET AJAX (versions before R3 2019 SP1)
No auth needed
Prerequisites: Access to hardcoded or custom encryption keys · Target running vulnerable Telerik Web UI version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0xr2r · poc
https://github.com/0xr2r/CVE-2017-11317-auto-exploit-

This repository contains a functional exploit for CVE-2017-11317, an Insecure Direct Object Reference (IDOR) vulnerability in Telerik UI for ASP.NET AJAX. The exploit automates the discovery of encryption keys and crafts malicious requests to exploit the vulnerability.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Telerik UI for ASP.NET AJAX
No auth needed
Prerequisites: Access to the vulnerable Telerik UI for ASP.NET AJAX endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by KasunPriyashan · poc
https://github.com/KasunPriyashan/Telerik-UI-ASP.NET-AJAX-Exploitation

The repository claims to cover CVE-2019-18935 (RCE via insecure deserialization) and CVE-2017-11317 (unrestricted file upload) but contains no exploit code, technical details, or proof-of-concept. The README is a placeholder with no substance.

Classification
Suspicious 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: Telerik UI for ASP.NET AJAX
No auth needed
Prerequisites: none specified
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb SCANNER
remote
https://github.com/hnytgl/TelerikUI-RCE

This repository contains a scanner for detecting Telerik UI vulnerabilities, including CVE-2017-11317, with multiple test modes and customizable configurations. It does not include functional exploit code but provides detailed scanning capabilities.

Classification
Scanner 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Progress Telerik UI (versions 2007.2.607.0 - 2019.3.1023.0)
No auth needed
Prerequisites: target URL · network access to the target
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Spencer McIntyre, Paul Taylor, Markus Wulftange, Caleb Gross, Alvaro Muñoz, Oleksandr Mirosh, straightblast · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/telerik_rau_deserialization.rb

This Metasploit module exploits CVE-2019-18935, a .NET deserialization vulnerability in Telerik UI ASP.NET AJAX RadAsyncUpload. It uploads a malicious DLL via weak encryption (CVE-2017-11317) and triggers deserialization to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Telerik UI ASP.NET AJAX (RadAsyncUpload component)
No auth needed
Prerequisites: Knowledge of cryptographic keys (default or custom) · Target version of Telerik UI ASP.NET AJAX · Access to the RadAsyncUpload handler
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43874/
Third Party Advisory x_refsource_confirm
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0006

Scores

CVSS v3 9.8
EPSS 0.8348
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-04-11
VulnCheck KEV 2020-06-19
InTheWild.io 2019-05-16
ENISA EUVD EUVD-2017-2951
CWE
CWE-326
Status published
Products (3)
telerik/ui_for_asp.net_ajax 2017.2.503
telerik/ui_for_asp.net_ajax 2017.2.621
telerik/ui_for_asp.net_ajax < 2016.3.1027
Published Aug 23, 2017
KEV Added Apr 11, 2022
Tracked Since Feb 18, 2026