CVE-2019-18935

Name of the Vulnerable Software and Affected Versions Progress Telerik UI for ASP.NET AJAX versions prior to 2020.1.114

Description The issue concerns the deserialization of untrusted data, allowing for remote code execution. This has been exploited by multiple threat actors, including a nation-state group, to breach a U.S. federal agency's web server. The estimated number of potentially affected devices worldwide is not specified. Technical details include the exploitation of insecure deserialization in Telerik UI. API endpoints and specific variables are not explicitly mentioned.

Recommendations As a temporary workaround, consider disabling the deserialization of untrusted data in Progress Telerik UI for ASP.NET AJAX until a patch is available. Restrict access to vulnerable components to minimize the risk of exploitation. For versions prior to 2020.1.114, update to version 2020.1.114 or later to resolve the issue. At the moment, there is no information about additional mitigation measures.