Cyber Resilience

CVE-2019-18935

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 11 December 2019

Published
11 December 2019
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9365 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-18935 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Telerik Ui For Asp.Net Ajax. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

Progress Telerik UI for ASP.NET AJAX through version 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function, tracked as CVE-2019-18935 and assigned CWE-502. The flaw permits remote code execution when the component's encryption keys are known, which can occur through prior issues such as CVE-2017-11317 or CVE-2017-11357 or by other means. The vulnerability received a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required privileges or user interaction.

An attacker who can reach the affected RadAsyncUpload endpoint and possesses the encryption keys can supply a malicious serialized object that the server deserializes, resulting in arbitrary code execution on the underlying system. Public exploit code and technical write-ups demonstrate practical attack chains that leverage this deserialization path once key material is obtained.

Later releases address the issue through configuration changes: version 2020.1.114 introduces a default setting that blocks the exploit, while 2019.3.1023 added a non-default setting that can prevent exploitation in that specific release. Public repositories and proof-of-concept materials, including cryptographic tooling and deserialization payloads targeting RadAsyncUpload, have been published that illustrate the attack requirements and impact.

EU & UK References

Vulnerability details

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result…

more

in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

telerik
ui for asp.net ajax
2011.1.315 — 2020.1.114

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks malicious serialized objects supplied to RadAsyncUpload by validating untrusted input before .NET deserialization occurs.

prevent

Enforces the secure default or non-default configuration settings introduced in 2020.1.114 and 2019.3.1023 that disable the vulnerable deserialization path.

prevent

Protects the Telerik encryption keys whose disclosure (via CVE-2017-11317 etc.) is required to craft a valid malicious payload for this deserialization flaw.

References