CVE-2017-11357

CRITICAL KEV RANSOMWARE

Telerik UI for ASP.NET AJAX < 2020.1.114 - Unrestricted File Upload via RadAsyncUpload

Title source: llm

Exploitation Summary

CVE-2017-11357 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 26, 2023, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including Paul Taylor.

AI-analyzed exploit summary This exploit targets Telerik UI for ASP.NET AJAX RadAsyncUpload, leveraging hardcoded encryption keys and insecure direct object references to achieve arbitrary file upload. It encrypts payloads using AES-CBC and includes HMAC validation for newer versions.

Description

Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

Exploits (2)

exploitdb WORKING POC

by Paul Taylor · pythonwebappsaspx

https://www.exploit-db.com/exploits/43874

View Code ZIP pw:eip

This exploit targets Telerik UI for ASP.NET AJAX RadAsyncUpload, leveraging hardcoded encryption keys and insecure direct object references to achieve arbitrary file upload. It encrypts payloads using AES-CBC and includes HMAC validation for newer versions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Telerik UI for ASP.NET AJAX (versions 2012.3.1308 through 2017.1.118)

No auth needed

Prerequisites: Target must be running vulnerable Telerik UI version · Network access to the target web application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb SCANNER

remote

https://github.com/hnytgl/TelerikUI-RCE

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting and testing Telerik UI vulnerabilities, including CVE-2017-11357. It performs component detection, file upload tests, and serialization vulnerability checks but does not include functional exploit code for achieving RCE.

Classification

Scanner 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Progress Telerik UI (versions 2007.2.607.0 - 2019.3.1023.0)

No auth needed

Prerequisites: target URL with Telerik UI components

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43874/

Mitigation, Vendor Advisory x_refsource_confirm

http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-reference

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11357

Scores

CVSS v3 9.8

EPSS 0.7571

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2023-01-26

VulnCheck KEV 2020-10-20

InTheWild.io 2023-01-26

ENISA EUVD EUVD-2017-2986

Ransomware Use Confirmed

CWE

CWE-434

Status published

Products (2)

progress/telerik_ui_for_asp.net_ajax < 2020.1.114

telerik/ui_for_asp.net_ajax < 2020.1.114

Published Aug 23, 2017

KEV Added Jan 26, 2023

Tracked Since Feb 18, 2026