• Language chooser
    • USA (English)
    • France (Français)
    • Italy (Italiano)
    • Latin America (Español)
    • Brazil (Portugués)
    • Germany (Deutsch)
    • Korea (한국어)
    • Japan (Beta) (日本語)

Progress Telerik UI Attack

Released: Mar 09, 2023

High Severity

Attack Type

Older vulnerabilities still being targeted in the wild

Telerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks on affected web servers due to a deserialization vulnerability. FortiGuard Labs continue seeing high exploitation activity and attacker attempting to exploit Telerik UI vulnerabilities. Learn More »

Common Vulnerabilities and Exposures



Telerik UI for ASP.NET is a popular UI component library for ASP.NET web applications. In 2017, several vulnerabilities were discovered, potentially resulting in remote code execution. Attacker has to chain exploits for unrestricted file upload (CVE-2017-11317, CVE-2017-11357) and insecure deserialization (CVE-2019-18935) vulnerabilities to execute arbitrary code on a remote machine. There are two malware campaigns associated with Progress Telerik UI Attack: Netwalker Ransomware and Blue Mockbird Monero Cryptocurrency-mining. CVE 2019-18935 also made it to CISA's top routinely exploited vulnerability list in the year 2020. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.

November 03, 2021: (CVE-2019-18935) Telerik UI for ASP.NET Deserialization Bug added to CISA known exploitation list
April 11, 2022: (CVE-2017-11317) Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability added to CISA known exploitation list
January 26, 2023: (CVE-2017-11357) Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability added to CISA known exploitation list

March 8, 2023: FortiGuard labs research indicates high exploitation activity and IPS detections of upto more than 50,000+ unique IPS devices. Admins should update to the most recent version of Telerik UI for ASP.NET AJAX (at least 2020.1.114 or later) to mitigate the issue completely.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.

  • AV

  • Vulnerability

  • AV (Pre-filter)

  • IPS

  • Assisted Response Services

  • Automated Response

  • InfoSec Services

  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.

Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active ip Active
hivnd.com domain Active
xegroups.com domain Active
xework.com domain Active
08375e2d187ee53ed263ee6529645e03ead1a8e77afd723... file Active
11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c8940... file Active
11d8b9be14097614dedd68839c85e3e8feec08cdab675a5... file Active
144492284bcbc0110d34a2b9a44bef90ed0d6cda746df60... file Active
1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece9... file Active
508dd87110cb5bf5d156a13c2430c215035db216f20f546... file Active
5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70... file Active
707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd... file Active
72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587... file Active
74544d31cbbf003bc33e7099811f62a37110556b6c1a644... file Active
78a926f899320ee6f05ab96f17622fb68e674296689e864... file Active
815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2... file Active
833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa5... file Active
853e8388c9a72a7a54129151884da46075d45a5bcd19c37... file Active
8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a4... file Active
a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfeb... file Active
a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2c... file Active
b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc... file Active
d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac3... file Active
d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8... file Active
dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd... file Active
e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1ae... file Active
e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea7... file Active
f5cafe99bccb9d813909876fa536cc980c45687d0f411c5... file Active
1afd47f1e914bde661778966334270c4e3c47b88cbad8ca... file Active
810b0ff0eebadc4d7f0c44f1d321121d55a477bd1a92d1e... file Active
ae89f5aa5c2dc71f4d86d9018000e92940558f3e5fe1854... file Active url Active url Active url Active url Active url Active
http://tk.tktktkcscscs.com:443/ url Active
http://www.krispykreme.one/Check.ashx url Active
https://cdn.nigntboxcdn.com/Nigntboxcdngetdata.php url Active
krispykreme.one domain Active
nigntboxcdn.com domain Active
tktktkcscscs.com domain Active ip Active ip Active ip Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days


Avg 0