Critical Flaws in Progress Telerik Reporting Tools Put Organizations at Risk of Remote Takeover

by do son · Published July 24, 2024 · Updated July 25, 2024

Progress Software’s widely used Telerik Reporting tools are facing serious security vulnerabilities that could lead to full system compromise, the company warned today. Two flaws, one rated “critical,” allow attackers to remotely execute code or inject malicious objects into affected systems.

Telerik Report Server Under Fire

The most severe vulnerability tracked as CVE-2024-6327, resides in Telerik Report Server, a popular solution for managing business reports. An attacker could exploit this flaw by sending specially crafted data to the server, triggering the deserialization of untrusted input. Successful exploitation could give the attacker the same level of control over the server as the application itself.

With a CVSSv3.1 base score of 9.9, this vulnerability is considered “critical,” demanding immediate attention from organizations using the software.

Temporary Workarounds Available

While a full fix is available in the latest version of Report Server (2024 Q2), Progress Software has provided temporary mitigation steps. These involve changing the user account associated with the Report Server Application Pool to one with limited permissions.

Telerik Reporting Also Vulnerable

A second flaw, CVE-2024-6096, affects Telerik Reporting, the underlying engine used in Report Server and other products. This vulnerability, rated “High,” enables object injection due to unsafe type resolution. While not as severe as CVE-2024-6327, it still poses a significant risk, allowing attackers to manipulate the application’s behavior.

Patch Now!

Progress Software has released updates for both Report Server and Telerik Reporting, version 2024 Q2 (10.1.24.709 and 18.1.24.709 respectively). All users are strongly urged to update to these versions or later as soon as possible.