Progress Telerik Report Server Vulnerability Allows RCE Attacks

Progress Telerik Report Server users must rush to update their systems as the firm patched a critical remote code execution (RCE) vulnerability.

Critical RCE Vulnerability Affected Progress Telerik Report Server

According to a recent advisory, Progress Telerik Report Server was impacted by a critical security vulnerability that could allow RCE attacks. The vulnerability existed due to the insecure deserialization of untrusted data, which could let an adversary execute arbitrary codes.

The vulnerability received the CVE ID CVE-2024-6327 and a critical severity rating with a CVSS score of 9.9.  Presently, the firm has not shared any technical details about the vulnerability. Even the vulnerability’s NVD listing mentions it as “under analysis,” awaiting details for the vulnerability summary.

Nonetheless, what’s clear is that the vulnerability impacts most existing Telerik Report Servers, including and prior to 10.1.24.514. Upon knowing the flaw, Progress patched it with version 2024 Q2 (10.1.24.709). Hence, users should ensure updating to this or later releases to receive the fix and avoid potential threats.

While the firm urges all users to update their systems with the latest release, Progress also shared temporary mitigation for systems where an immediate update isn’t possible. They recommend “changing the user for the Report Server Application Pool to one with limited permissions.”

For now, it remains unclear if the vulnerability has been .

Progress credited the researcher Markus Wulftange from CODE WHITE GmbH for reporting this flaw. The same researcher also discovered and reported another vulnerability, CVE-2024-6096, which affected all Progress Telerik Reporting versions before the latest release with the patch. The firm described it as an insecure type resolution that could allow object injection attacks, patching it with Reporting 2024 Q2 (18.1.24.709).

Let us know your thoughts in the comments.

Related posts

Apple Addressed Two Zero-Day Flaws In Intel-based Macs

Really Simple Security Plugin Flaw Risks 4+ Million WordPress Websites

Glove Stealer Emerges A New Malware Threat For Browsers