{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6023/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-6023"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6023","telerik","deserialization","rce","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6023 exposes a critical vulnerability within the RadFilter control of Progress Telerik UI for AJAX. Affecting versions 2024.4.1114 to 2026.1.421, this flaw stems from insecure deserialization practices. The vulnerability arises when the filter state is exposed to the client, enabling malicious actors to manipulate this state. Successful exploitation grants attackers the ability to execute arbitrary code on the server. This vulnerability poses a significant risk to organizations utilizing the affected Telerik UI for AJAX versions, potentially leading to complete system compromise and data breaches. Defenders must promptly address this issue through patching or mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a web application utilizing a vulnerable version of Progress Telerik UI for AJAX (2024.4.1114 - 2026.1.421) with the RadFilter control enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker observes the RadFilter control\u0026rsquo;s behavior, specifically how filter states are serialized and exposed to the client-side, typically within the HTTP request or response.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the serialized filter state data, often Base64 encoded or similar, transmitted between the client and server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized payload containing instructions to execute arbitrary code on the server. This involves exploiting the insecure deserialization process.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the original, legitimate serialized filter state with the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified request containing the malicious serialized data to the server.\u003c/li\u003e\n\u003cli\u003eThe Telerik UI for AJAX application on the server attempts to deserialize the tampered data using the RadFilter control.\u003c/li\u003e\n\u003cli\u003eDue to the insecure deserialization vulnerability, the malicious payload is executed, granting the attacker remote code execution on the server. The attacker can then perform actions such as installing malware, exfiltrating sensitive data, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6023 can lead to complete compromise of the affected server. An attacker can gain remote code execution, enabling them to install malware, steal sensitive data, or disrupt critical business operations. Given the widespread use of Telerik UI in enterprise applications, this vulnerability could potentially impact a large number of organizations across various sectors. Unpatched systems are at high risk of being exploited, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Progress Telerik UI for AJAX to a patched version outside the range of 2024.4.1114 through 2026.1.421 to remediate CVE-2026-6023.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Telerik RadFilter Deserialization Attempt\u003c/code\u003e to identify attempts to exploit the deserialization vulnerability by monitoring for suspicious HTTP requests targeting the RadFilter control (Log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the server-side to prevent malicious data from being deserialized.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the RadFilter control, such as requests with abnormally large or malformed serialized data (Log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T08:16:13Z","date_published":"2026-04-22T08:16:13Z","id":"/briefs/2026-04-telerik-rce/","summary":"An insecure deserialization vulnerability exists in Progress Telerik UI for AJAX's RadFilter control (versions 2024.4.1114 through 2026.1.421) allowing remote code execution via tampering with the filter state exposed to the client.","title":"Insecure Deserialization Vulnerability in Telerik UI for AJAX RadFilter Control (CVE-2026-6023)","url":"https://feed.craftedsignal.io/briefs/2026-04-telerik-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6023","version":"https://jsonfeed.org/version/1.1"}