In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.
The vulnerability results from unsafe deserialization of user-supplied data (CWE-502). An attacker with basic privilege level can send a specially crafted payload to a vulnerable application endpoint. During deserialization, the server processes malicious data without proper validation, leading to arbitrary code execution in the server context. The attack scope extends beyond the direct component (Scope: Changed), which increases the potential impact on the environment.
A successful attack allows the attacker to execute code remotely (RCE) on the server, which may lead to complete system takeover, sensitive data leakage, integrity violation, and service unavailability.
Progress Telerik Report Server must be immediately updated to version 2024 Q2 (10.1.24.709) or later. Detailed information is available in the official vendor document at: https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-6327
Progress Telerik Report Server in all versions prior to 2024 Q2 (10.1.24.709)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HProgress Telerik Report Server
APPProgress< 10.1.24.709
Related vulnerabilities
RCE w Progress Telerik Report Server przez insecure type resolution
RCE przez insecure deserialization w Progress Telerik Report Server
In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framewo...
In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset da...
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is p...