Cyber Resilience

CVE-2024-4358

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 29 May 2024

Published
29 May 2024
Modified
31 October 2025
KEV Added
13 June 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9434 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4358 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Telerik Report Server 2024. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2024-4358 is an authentication bypass vulnerability, tracked under CWE-290, that affects Progress Telerik Report Server version 2024 Q1 (10.0.24.305) and earlier when deployed on IIS. The flaw permits an unauthenticated attacker to reach restricted functionality that should otherwise require valid credentials, and it received a CVSS 3.1 base score of 9.8 reflecting network-accessible attack complexity that is low with no required privileges or user interaction.

An unauthenticated remote attacker can exploit the weakness to obtain unauthorized access to the report server’s restricted areas, resulting in potential full compromise of confidentiality, integrity, and availability of the affected instance.

Vendor documentation at docs.telerik.com and the CISA Known Exploited Vulnerabilities catalog both reference the issue and direct administrators to apply the remediation steps outlined in the Telerik knowledge-base article for CVE-2024-4358.

The vulnerability’s EPSS score stands at 0.9434 with a recorded peak of 0.9437, and its inclusion in CISA’s KEV catalog confirms observed real-world exploitation activity.

EU & UK References

Vulnerability details

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

CWE(s)
KEV Date Added
13 June 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

telerik
report server 2024
≤ 10.0.24.305

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authenticated access decisions so the authentication-bypass flaw cannot grant entry to restricted Report Server functionality.

prevent

Requires identification and authentication of users before any access, directly blocking the unauthenticated path exploited by CVE-2024-4358.

prevent

Mandates timely application of vendor patches that close the specific authentication-bypass registration flaw in Telerik Report Server.

References