CISA Warns of Hackers Exploiting CVE-2017-11357 Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security vulnerability in User Interface (UI) for ASP.NET AJAX to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation.
“CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” the agency said in a notice.
The critical vulnerability tracked as CVE-2017-11357 is rated 9.8 out of 10 for severity on the CVSS scoring system, and was patched by Progress in 2017.
Progress Telerik UI for ASP.NET AJAX could allow a remote attacker to upload arbitrary files, caused by user input is used directly by RadAsyncUpload without modification or validation. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to execute arbitrary code on the vulnerable system. The proof of concept (PoC) exploit code has been published, which users should view as a strong recommendation to apply the vendor’s patch.
The cybersecurity agency did not share additional specifics on how the CVE-2017-11357 flaw is being weaponized and how widespread the exploitation efforts are.
To mitigate any potential risk of exposure to cyberattacks, it’s recommended that organizations prioritize timely remediation of the issues. Federal Civilian Executive Branch Agencies, however, are required to mandatorily patch the flaws by February 16, 2023.