Endpoint Vulnerability

Telerik UI for ASP NET AJAX CVE-2019-18935 Code Injection Vulnerability

Description

Progress Telerik UI for ASP.NET AJAX up to 2019.3.1023 has a .NET deserialization flaw in RadAsyncUpload that allows remote code execution when encryption keys are known; default settings in 2020.1.114 mitigate it.

Outbreak Alert

Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks on affected web servers of Telerik User Interface (UI) for ASP-NET due to a deserialization vulnerability found in RadAsyncUpload function. FortiGuard Labs continue seeing high exploitation activity of these old vulnerabilities.

View the full Outbreak Alert Report

Affected Applications

UI for ASP NET AJAX

Version Updates

Date	Version	Status	Detail
2025-10-28	1.00929	Modified	UI for ASP NET AJAX
2025-02-14	1.00819	Modified	UI For ASP NET AJAX
2022-01-26	1.00290	New	UI For ASP NET AJAX

References

https://www.telerik.com/support/whats-new/release-history

ID	4128
Created	Jan 24, 2022
Description Updated	Jan 16, 2026
CVE ID
Tags	Progress Telerik UI Attack Threat Signal
Risk
Coverage	FortiClient
OS	Windows
Vendor	Telerik
Patch	manual
Application	UI for ASP NET AJAX

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Endpoint Vulnerability

Telerik UI for ASP NET AJAX CVE-2019-18935 Code Injection Vulnerability

Description

Outbreak Alert

Affected Applications

Version Updates

References

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

Endpoint Vulnerability

Telerik UI for ASP NET AJAX CVE-2019-18935 Code Injection Vulnerability

Description

Outbreak Alert

Affected Applications

Version Updates

References

Threat Intelligence
Center