Cyber Resilience

CVE-2017-9248

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 03 July 2017

Published
03 July 2017
Modified
21 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8944 99.6th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-9248 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Progress Sitefinity. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2017-9248 affects Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX versions prior to R2 2017 SP1 and Sitefinity versions prior to 10.0.6412.0. The component fails to adequately protect the Telerik.Web.UI.DialogParametersEncryptionKey or the ASP.NET MachineKey, enabling remote attackers to bypass cryptographic protections as classified under CWE-522.

Unauthenticated attackers can exploit the flaw over the network to obtain the MachineKey, facilitating arbitrary file uploads or downloads, cross-site scripting, or compromise of ASP.NET ViewState, resulting in a CVSS 3.1 base score of 9.8.

Telerik security advisories and knowledge-base articles direct administrators to apply the R2 2017 SP1 update for UI for ASP.NET AJAX or version 10.0.6412.0 for Sitefinity to restore proper key protection.

Public exploit code for the issue has been published, confirming the cryptographic weakness can be leveraged in practice.

EU & UK References

Vulnerability details

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey…

more

leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
sitefinity
≤ 10.0.6412.0
telerik
ui for asp.net ajax
≤ 2017.2.503

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper establishment, protection, and management of cryptographic keys such as the exposed Telerik DialogParametersEncryptionKey and ASP.NET MachineKey.

prevent

Mandates use of validated cryptography to protect sensitive data and mechanisms, which the CVE bypasses via key leakage.

prevent

Requires timely installation of vendor patches (R2 2017 SP1 / 10.0.6412.0) that restore correct key protection in Telerik.Web.UI.dll.

References