CVE-2019-18935

Name: CVE-2019-18935
Creator: NVD / NIST
Published: 2019-12-11T13:15:11.767+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10Actively ExploitedEPSS 99.74%

Last modified Jun 17, 2026

CVE-2019-18935 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.74% chance of exploitation in the next 30 days.

Description

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

99.74%

100.0th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by May 3, 2022.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Telerik	Ui For Asp.Net Ajax	>= 2011.1.315, <= 2020.1.114

References

http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.htmlExploit, Third Party Advisory, VDB Entry
https://codewhitesec.blogspot.com/2019/02/telerik-revisited.htmlNot Applicable
https://github.com/bao7uo/RAU_cryptoExploit, Third Party Advisory
https://github.com/noperator/CVE-2019-18935Exploit, Third Party Advisory
https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-uiExploit, Third Party Advisory
https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/Press/Media Coverage
https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserializationPatch, Vendor Advisory
https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29Release Notes
https://www.telerik.com/support/whats-new/release-historyRelease Notes, Vendor Advisory
http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.htmlExploit, Third Party Advisory, VDB Entry
https://codewhitesec.blogspot.com/2019/02/telerik-revisited.htmlNot Applicable
https://github.com/bao7uo/RAU_cryptoExploit, Third Party Advisory
https://github.com/noperator/CVE-2019-18935Exploit, Third Party Advisory
https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-uiExploit, Third Party Advisory
https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/Press/Media Coverage
https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserializationPatch, Vendor Advisory
https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29Release Notes
https://www.telerik.com/support/whats-new/release-historyRelease Notes, Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-18935US Government Resource

Timeline

Published: Dec 11, 2019
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2019-18935?

How severe is CVE-2019-18935?

CVE-2019-18935 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 99.74% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2019-18935?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-18935?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST