Cyber Resilience

CVE-2017-11317

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 23 August 2017

Published
23 August 2017
Modified
21 April 2026
KEV Added
11 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9197 99.7th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-11317 is a critical-severity Inadequate Encryption Strength (CWE-326) vulnerability in Telerik Ui For Asp.Net Ajax. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-13 (Cryptographic Protection).

Deeper analysis

Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 contains a weakness in RadAsyncUpload encryption classified under CWE-326. The component fails to apply adequate cryptographic protections to serialized data processed during asynchronous uploads, resulting in a CVSS 3.1 score of 9.8.

Remote unauthenticated attackers can supply crafted encrypted payloads over the network to bypass intended restrictions, enabling arbitrary file uploads to the server or subsequent execution of attacker-controlled code within the context of the web application.

Public references, including the vendor knowledge base article on unrestricted file upload and multiple exploit archives, indicate that the issue is resolved in the specified releases and that proof-of-concept deserialization exploits have been published.

EU & UK References

Vulnerability details

Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

CWE(s)
KEV Date Added
11 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

telerik
ui for asp.net ajax
2017.2.503, 2017.2.621 · ≤ 2016.3.1027

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic protection mechanisms that would eliminate the weak RadAsyncUpload encryption (CWE-326) enabling crafted payload bypass.

prevent

Enforces access restrictions on file upload operations so that even a bypassed encryption check cannot result in arbitrary writes or code execution.

prevent

Requires validation of all input data, which would reject the malicious serialized payloads used to exploit the upload encryption weakness.

References