CVE-2017-9248

CRITICAL KEV

Telerik UI <R2 2017 SP1-10.0.6412.0 - MachineKey Leak

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-9248 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 9 public exploits from researchers including Paul Taylor, bao7uo, capt-meelo.

AI-analyzed exploit summary This exploit targets a cryptographic weakness in Telerik UI for ASP.NET AJAX (CVE-2017-9248) by brute-forcing the encryption key used in the DialogHandler component. It leverages a padding oracle attack to decrypt or encrypt data, potentially leading to unauthorized access or data manipulation.

Description

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.

Exploits (9)

exploitdb WORKING POC
by Paul Taylor · pythonwebappsaspx
https://www.exploit-db.com/exploits/43873

This exploit targets a cryptographic weakness in Telerik UI for ASP.NET AJAX (CVE-2017-9248) by brute-forcing the encryption key used in the DialogHandler component. It leverages a padding oracle attack to decrypt or encrypt data, potentially leading to unauthorized access or data manipulation.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Complex
Reliability
Reliable
Target: Telerik UI for ASP.NET AJAX (versions 2012.3.1308 through 2017.1.118)
No auth needed
Prerequisites: Access to the target web application · DialogHandler component enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 177 stars
by bao7uo · remote
https://github.com/bao7uo/dp_crypto

This repository contains a Python-based exploit for CVE-2017-9248, which targets a weak encryption implementation in Telerik UI for ASP.NET AJAX. The exploit brute-forces the dialog handler key and generates an encrypted URL to access a file manager, potentially allowing arbitrary file uploads.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Telerik UI for ASP.NET AJAX (up to and including version 2017.1.118)
No auth needed
Prerequisites: Access to the Telerik.Web.UI.DialogHandler.aspx endpoint · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 97 stars
by capt-meelo · remote
https://github.com/capt-meelo/Telewreck

This is a Burp Suite extension designed to detect and exploit CVE-2017-9248, a cryptographic weakness in Telerik Web UI. It includes functionality to bruteforce encryption keys and identify vulnerable versions during passive scans.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Telerik Web UI (versions listed in VULN_VERSIONS)
No auth needed
Prerequisites: Burp Suite · Jython · Python requests module
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 61 stars
by blacklanternsecurity · remote
https://github.com/blacklanternsecurity/dp_cryptomg

This repository contains a Python-based exploit for CVE-2017-9248, a cryptographic weakness in Telerik UI for ASP.NET AJAX dialog handler. The tool recovers the encryption key via error message analysis and enables arbitrary file uploads, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Telerik UI for ASP.NET AJAX (DialogHandler and SpellCheckHandler)
No auth needed
Prerequisites: Access to Telerik.Web.UI.DialogHandler.aspx or Telerik.Web.UI.SpellCheckHandler.axd endpoint · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 2 stars
by 0xsharz · poc
https://github.com/0xsharz/telerik-scanner-cve-2017-9248

This repository contains a Python-based scanner for detecting CVE-2017-9248, a cryptographic vulnerability in Telerik UI components. It supports bulk scanning, multi-threading, and detailed reporting in CSV/JSON formats.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Telerik UI components (versions prior to 2017.2.621)
No auth needed
Prerequisites: Network access to target endpoints · Telerik UI components exposed on the web
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cehamod · remote
https://github.com/cehamod/UI_CVE-2017-9248

This repository contains a Python-based exploit for CVE-2017-9248, targeting a cryptographic vulnerability in Telerik UI for ASP.NET AJAX. The exploit leverages a base64-based encryption oracle to brute-force the encryption key used by the application.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Telerik UI for ASP.NET AJAX (multiple versions)
No auth needed
Prerequisites: Access to the target application's dialog handler endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by oldboysonnt · remote
https://github.com/oldboysonnt/dp

This is a Python-based exploit for CVE-2017-9248, targeting a cryptographic flaw in Telerik.Web.UI.dll. It brute-forces the encryption key used in the vulnerable component by analyzing responses to crafted requests.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Telerik.Web.UI.dll (various versions)
No auth needed
Prerequisites: Access to a vulnerable Telerik.Web.UI endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by ictnamanh · client-side
https://github.com/ictnamanh/CVE-2017-9248

This exploit PoC targets CVE-2017-9248, a vulnerability in Telerik UI for ASP.NET AJAX. It uses a brute-force approach to decrypt a key by leveraging error messages from the server, allowing an attacker to bypass authentication or execute arbitrary code.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Complex
Reliability
Reliable
Target: Telerik UI for ASP.NET AJAX (versions affected by CVE-2017-9248)
No auth needed
Prerequisites: Network access to the target server · Telerik.Web.UI.DialogHandler.aspx endpoint exposed
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb SCANNER
remote
https://github.com/blacklanternsecurity/badsecrets

The repository contains a Python library for detecting the use of known or weak cryptographic secrets across various platforms, including ASP.NET, Django, Flask, and others. It does not include exploit code but provides modules to identify vulnerabilities related to weak secrets.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Multiple (ASP.NET, Django, Flask, etc.)
No auth needed
Prerequisites: Access to cryptographic products (e.g., cookies, tokens) generated by the target software
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43873/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99965

Scores

CVSS v3 9.8
EPSS 0.8944
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-10-22
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2017-18184
CWE
CWE-522
Status published
Products (2)
progress/sitefinity < 10.0.6412.0
telerik/ui_for_asp.net_ajax < 2017.2.503
Published Jul 03, 2017
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026