Cyber Resilience

CVE-2017-11357

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 23 August 2017

Published
23 August 2017
Modified
22 April 2026
KEV Added
26 January 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9368 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-11357 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Progress Telerik Ui For Asp.Net Ajax. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 contains an unrestricted file upload vulnerability in the RadAsyncUpload component. The component fails to properly validate or restrict user-supplied input, enabling attackers to supply arbitrary files. This issue is tracked as CWE-434 and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible, unauthenticated exploitation with high impact on confidentiality, integrity, and availability.

Remote attackers can send crafted requests directly to the RadAsyncUpload handler to upload malicious files to the server or achieve arbitrary code execution without authentication or user interaction. Successful exploitation grants full control over the affected web application and underlying host.

Telerik advisory documentation describes the root cause as an insecure direct object reference in the upload control and states that the issue is resolved in R2 2017 SP2. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, and public exploit code has been published on Exploit-DB.

EU & UK References

Vulnerability details

Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

CWE(s)
KEV Date Added
26 January 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
telerik ui for asp.net ajax
≤ 2020.1.114

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied input to the RadAsyncUpload component, blocking the arbitrary file uploads that enable code execution in this CVE.

preventdetect

Mandates malicious-code scanning and blocking mechanisms that would inspect and reject the dangerous files uploaded via the vulnerable handler.

prevent

Requires disabling or restricting non-essential upload functionality and features in the Telerik component until proper file-type and content restrictions are enforced.

References