Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers UPDATE - 20230619001

Overview

CISA received three files for analysis. The files included three webshells written in PHP: Hypertext Preprocessor (PHP), Active Server Pages Extended (ASPX), and .NET Dynamic-Link Library (DLL). The samples are interactive webshells and have the ability to upload and manage files, create directories and files, and execute commands on the target machine.

What is the vulnerability?

CVE-2017-9248 - CVSS v3 Base Score: 9.8

What is vulnerable?

The vulnerability exists in the following products:

• Telerik.Web.UI.dll versions 2017.2.621 and older
• Sitefinity versions 10.0.6412.0 and older

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

CISA has listed this report in their Analysis Report catalog.

Recommendation

Due to the report of active exploitation, it is strongly recommended to do a scan for the IoCs in the report if you employ the use of Telerik services and to patch this vulnerability within 2 weeks across all affected platforms as per vendor instructions.

References

• WASOC Advisory
• CISA Original Advisory
• CISA Analysis Report