CVE-2024-4358
Published: 29 May 2024
Summary
CVE-2024-4358 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Telerik Report Server 2024. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2024-4358 is an authentication bypass vulnerability, tracked under CWE-290, that affects Progress Telerik Report Server version 2024 Q1 (10.0.24.305) and earlier when deployed on IIS. The flaw permits an unauthenticated attacker to reach restricted functionality that should otherwise require valid credentials, and it received a CVSS 3.1 base score of 9.8 reflecting network-accessible attack complexity that is low with no required privileges or user interaction.
An unauthenticated remote attacker can exploit the weakness to obtain unauthorized access to the report server’s restricted areas, resulting in potential full compromise of confidentiality, integrity, and availability of the affected instance.
Vendor documentation at docs.telerik.com and the CISA Known Exploited Vulnerabilities catalog both reference the issue and direct administrators to apply the remediation steps outlined in the Telerik knowledge-base article for CVE-2024-4358.
The vulnerability’s EPSS score stands at 0.9434 with a recorded peak of 0.9437, and its inclusion in CISA’s KEV catalog confirms observed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43994
Vulnerability details
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
- CWE(s)
- KEV Date Added
- 13 June 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authenticated access decisions so the authentication-bypass flaw cannot grant entry to restricted Report Server functionality.
Requires identification and authentication of users before any access, directly blocking the unauthenticated path exploited by CVE-2024-4358.
Mandates timely application of vendor patches that close the specific authentication-bypass registration flaw in Telerik Report Server.