{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/telerik/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-6023"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6023","telerik","deserialization","rce","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6023 exposes a critical vulnerability within the RadFilter control of Progress Telerik UI for AJAX. Affecting versions 2024.4.1114 to 2026.1.421, this flaw stems from insecure deserialization practices. The vulnerability arises when the filter state is exposed to the client, enabling malicious actors to manipulate this state. Successful exploitation grants attackers the ability to execute arbitrary code on the server. This vulnerability poses a significant risk to organizations utilizing the affected Telerik UI for AJAX versions, potentially leading to complete system compromise and data breaches. Defenders must promptly address this issue through patching or mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a web application utilizing a vulnerable version of Progress Telerik UI for AJAX (2024.4.1114 - 2026.1.421) with the RadFilter control enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker observes the RadFilter control\u0026rsquo;s behavior, specifically how filter states are serialized and exposed to the client-side, typically within the HTTP request or response.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the serialized filter state data, often Base64 encoded or similar, transmitted between the client and server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized payload containing instructions to execute arbitrary code on the server. This involves exploiting the insecure deserialization process.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the original, legitimate serialized filter state with the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified request containing the malicious serialized data to the server.\u003c/li\u003e\n\u003cli\u003eThe Telerik UI for AJAX application on the server attempts to deserialize the tampered data using the RadFilter control.\u003c/li\u003e\n\u003cli\u003eDue to the insecure deserialization vulnerability, the malicious payload is executed, granting the attacker remote code execution on the server. The attacker can then perform actions such as installing malware, exfiltrating sensitive data, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6023 can lead to complete compromise of the affected server. An attacker can gain remote code execution, enabling them to install malware, steal sensitive data, or disrupt critical business operations. Given the widespread use of Telerik UI in enterprise applications, this vulnerability could potentially impact a large number of organizations across various sectors. Unpatched systems are at high risk of being exploited, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Progress Telerik UI for AJAX to a patched version outside the range of 2024.4.1114 through 2026.1.421 to remediate CVE-2026-6023.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Telerik RadFilter Deserialization Attempt\u003c/code\u003e to identify attempts to exploit the deserialization vulnerability by monitoring for suspicious HTTP requests targeting the RadFilter control (Log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the server-side to prevent malicious data from being deserialized.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the RadFilter control, such as requests with abnormally large or malformed serialized data (Log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T08:16:13Z","date_published":"2026-04-22T08:16:13Z","id":"/briefs/2026-04-telerik-rce/","summary":"An insecure deserialization vulnerability exists in Progress Telerik UI for AJAX's RadFilter control (versions 2024.4.1114 through 2026.1.421) allowing remote code execution via tampering with the filter state exposed to the client.","title":"Insecure Deserialization Vulnerability in Telerik UI for AJAX RadFilter Control (CVE-2026-6023)","url":"https://feed.craftedsignal.io/briefs/2026-04-telerik-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6022"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6022","telerik","resource-exhaustion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eProgress Telerik UI for AJAX, a suite of UI components for ASP.NET AJAX, contains an uncontrolled resource consumption vulnerability within the RadAsyncUpload component. This vulnerability, identified as CVE-2026-6022, affects versions prior to 2026.1.421. The vulnerability stems from a failure to properly enforce maximum file size limits during the reassembly of file chunks uploaded via the RadAsyncUpload component. An unauthenticated attacker could exploit this vulnerability by uploading a large file in chunks, bypassing the configured maximum file size restriction. Successful exploitation leads to excessive disk space consumption on the server, potentially causing denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a web application using a vulnerable version of Progress Telerik UI for AJAX with the RadAsyncUpload component enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request to initiate a file upload to the RadAsyncUpload endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker splits the malicious file into multiple chunks, each smaller than the initially configured maximum upload size limit.\u003c/li\u003e\n\u003cli\u003eThe attacker sends each chunk to the server using separate HTTP requests to the RadAsyncUpload endpoint.\u003c/li\u003e\n\u003cli\u003eThe server receives the chunks and stores them temporarily, without enforcing the cumulative file size.\u003c/li\u003e\n\u003cli\u003eOnce all chunks are uploaded, the RadAsyncUpload component reassembles the file.\u003c/li\u003e\n\u003cli\u003eDue to the missing cumulative size check, the reassembled file exceeds the maximum allowed file size.\u003c/li\u003e\n\u003cli\u003eThe server stores the complete, oversized file, leading to disk space exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition due to disk space exhaustion. The number of affected systems depends on the usage of the vulnerable Telerik UI for AJAX RadAsyncUpload component. Organizations in any sector using the affected Telerik component are potentially vulnerable. If successful, the attack can cause application downtime, data loss, and require administrative intervention to restore service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Progress Telerik UI for AJAX to version 2026.1.421 or later to patch CVE-2026-6022.\u003c/li\u003e\n\u003cli\u003eImplement server-side monitoring for excessive disk space usage in directories associated with RadAsyncUpload temporary file storage.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousRadAsyncUploadChunks\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden file upload size limits to prevent resource exhaustion, as described in the Telerik documentation referenced.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T08:16:12Z","date_published":"2026-04-22T08:16:12Z","id":"/briefs/2026-04-telerik-resource-exhaustion/","summary":"A vulnerability exists in Progress Telerik UI for AJAX prior to 2026.1.421, RadAsyncUpload, due to missing cumulative size enforcement during chunk reassembly, which allows file uploads to exceed the configured maximum size, leading to disk space exhaustion.","title":"Telerik UI for AJAX RadAsyncUpload Uncontrolled Resource Consumption (CVE-2026-6022)","url":"https://feed.craftedsignal.io/briefs/2026-04-telerik-resource-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed — Telerik","version":"https://jsonfeed.org/version/1.1"}