CVE-2024-4358

CRITICAL KEV NUCLEI

Telerik Report Server Auth Bypass and Deserialization RCE

Title source: metasploit

Exploitation Summary

CVE-2024-4358 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 13, 2024. EIP tracks 9 public exploits from researchers including VeryLazyTech, sinsinology, Sk1dr0wz, including a Metasploit module exploits/windows/http/telerik_report_server_deserialization. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass and deserialization RCE vulnerability in Progress Telerik Report Server 2024 Q1 (10.0.24.305) and earlier. It automates the creation of a malicious report and triggers deserialization to execute arbitrary commands.

Description

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

Exploits (9)

exploitdb WORKING POC

by VeryLazyTech · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52103

View Code ZIP pw:eip

This exploit demonstrates an authentication bypass and deserialization RCE vulnerability in Progress Telerik Report Server 2024 Q1 (10.0.24.305) and earlier. It automates the creation of a malicious report and triggers deserialization to execute arbitrary commands.

Classification

Working Poc 90%

Attack Type

Auth Bypass | Deserialization | Rce

Complexity

Moderate

Reliability

Reliable

Target: Progress Telerik Report Server 2024 Q1 (10.0.24.305) and earlier

No auth needed

Prerequisites: Network access to the target server · Telerik Report Server instance running a vulnerable version

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 78 stars

by sinsinology · remote

https://github.com/sinsinology/CVE-2024-4358

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-4358, which chains an authentication bypass and deserialization vulnerability in Progress Telerik Report Server to achieve pre-authenticated remote code execution. The exploit creates a backdoor account, generates a malicious report with embedded payload, and triggers deserialization to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Progress Telerik Report Server (versions 2012-2024)

No auth needed

Prerequisites: Network access to the target server · Target server running vulnerable version of Telerik Report Server

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 26 stars

by Sk1dr0wz · remote

https://github.com/Sk1dr0wz/CVE-2024-4358_Mass_Exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-4358, which leverages authentication bypass and deserialization vulnerabilities to achieve remote code execution. The exploit creates a backdoor account, uploads a malicious report, and executes arbitrary commands via a crafted payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Telerik Reporting (specific version not explicitly stated)

No auth needed

Prerequisites: Network access to the target · Target running vulnerable Telerik Reporting instance

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 12 stars

by verylazytech · remote

https://github.com/verylazytech/CVE-2024-4358

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2024-4358, demonstrating a deserialization vulnerability leading to remote code execution (RCE). The exploit automates the process of creating a report with a malicious payload, triggering deserialization via API endpoints.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown (likely a web application with report generation functionality)

Auth required

Prerequisites: Valid credentials for authentication · Access to vulnerable API endpoints

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 5 stars

by RevoltSecurities · remote

https://github.com/RevoltSecurities/CVE-2024-4358

View Code ZIP pw:eip

The repository contains a functional exploit tool for CVE-2024-4358, which targets a deserialization vulnerability in an unspecified software. The tool supports both vulnerability detection and exploitation, with features like multi-threading, proxy support, and command execution.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Unknown (likely a web application with a report server API)

Auth required

Prerequisites: Valid authentication token · Access to the target API endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 4 stars

by gh-ost00 · remote

https://github.com/gh-ost00/CVE-2024-4358

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-4358, targeting Telerik Report Server with an authentication bypass and deserialization RCE. The exploit uses async HTTP requests to create a malicious report, trigger deserialization, and execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Telerik Report Server

No auth needed

Prerequisites: Network access to the target server · Telerik Report Server instance with vulnerable version

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Harydhk7 · remote

https://github.com/Harydhk7/CVE-2024-4358

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-4358, which chains an authentication bypass with a deserialization vulnerability in Progress Telerik Report Server to achieve pre-authenticated remote code execution. The exploit creates a backdoor account, logs in, and uploads a malicious report file to trigger deserialization.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Progress Telerik Report Server

No auth needed

Prerequisites: Network access to the target server · Telerik Report Server instance vulnerable to CVE-2024-4358 and CVE-2024-1800

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by SinSinology, Soroush Dalili, Unknown, Spencer McIntyre · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/telerik_report_server_deserialization.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2024-4358 (authentication bypass) and CVE-2024-1800 (deserialization) to achieve RCE on Telerik Report Server. It creates an admin account, uploads a malicious .trdp file with embedded deserialization payload, and triggers execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Telerik Report Server <= 10.0.24.130

No auth needed

Prerequisites: Network access to Telerik Report Server · Server version <= 10.0.24.130

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 05, 2026 Full analysis →

metasploit WORKING POC

by SinSinology, Spencer McIntyre · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/telerik_report_server_auth_bypass.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2024-4358, an authentication bypass in Telerik Report Server, allowing unauthenticated attackers to create an administrative account via the exposed setup page.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Telerik Report Server <= 10.0.24.305

No auth needed

Prerequisites: Network access to the target server · Telerik Report Server with vulnerable version

MITRE ATT&CK

T1110.001 - Password Guessing T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Progress Telerik Report Server - Authentication Bypass

CRITICALVERIFIEDby DhiyaneshDK

Shodan: title:"Log in | Telerik Report Server"

References (2)

Core 2

Core References

Mitigation, Vendor Advisory

https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4358

Scores

CVSS v3 9.8

EPSS 0.9748

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-06-13

VulnCheck KEV 2024-06-07

InTheWild.io 2024-06-13

ENISA EUVD EUVD-2024-43994

CWE

CWE-290

Status published

Products (1)

telerik/report_server_2024 < 10.0.24.305

Published May 29, 2024

KEV Added Jun 13, 2024

Tracked Since Feb 18, 2026