https://feed.craftedsignal.io/tags/telerik/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 08:16:13 +0000https://feed.craftedsignal.io/briefs/2026-04-telerik-rce/Wed, 22 Apr 2026 08:16:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-telerik-rce/An insecure deserialization vulnerability exists in Progress Telerik UI for AJAX's RadFilter control (versions 2024.4.1114 through 2026.1.421) allowing remote code execution via tampering with the filter state exposed to the client.CVE-2026-6023 exposes a critical vulnerability within the RadFilter control of Progress Telerik UI for AJAX. Affecting versions 2024.4.1114 to 2026.1.421, this flaw stems from insecure deserialization practices. The vulnerability arises when the filter state is exposed to the client, enabling malicious actors to manipulate this state. Successful exploitation grants attackers the ability to execute arbitrary code on the server. This vulnerability poses a significant risk to organizations utilizing the affected Telerik UI for AJAX versions, potentially leading to complete system compromise and data breaches. Defenders must promptly address this issue through patching or mitigation strategies.

Attack Chain

1. The attacker identifies a web application utilizing a vulnerable version of Progress Telerik UI for AJAX (2024.4.1114 - 2026.1.421) with the RadFilter control enabled.
2. The attacker observes the RadFilter control’s behavior, specifically how filter states are serialized and exposed to the client-side, typically within the HTTP request or response.
3. The attacker intercepts the serialized filter state data, often Base64 encoded or similar, transmitted between the client and server.
4. The attacker crafts a malicious serialized payload containing instructions to execute arbitrary code on the server. This involves exploiting the insecure deserialization process.
5. The attacker replaces the original, legitimate serialized filter state with the malicious payload.
6. The attacker sends the modified request containing the malicious serialized data to the server.
7. The Telerik UI for AJAX application on the server attempts to deserialize the tampered data using the RadFilter control.
8. Due to the insecure deserialization vulnerability, the malicious payload is executed, granting the attacker remote code execution on the server. The attacker can then perform actions such as installing malware, exfiltrating sensitive data, or disrupting services.

Impact

Successful exploitation of CVE-2026-6023 can lead to complete compromise of the affected server. An attacker can gain remote code execution, enabling them to install malware, steal sensitive data, or disrupt critical business operations. Given the widespread use of Telerik UI in enterprise applications, this vulnerability could potentially impact a large number of organizations across various sectors. Unpatched systems are at high risk of being exploited, leading to significant financial and reputational damage.

Recommendation

• Immediately upgrade Progress Telerik UI for AJAX to a patched version outside the range of 2024.4.1114 through 2026.1.421 to remediate CVE-2026-6023.
• Deploy the Sigma rule Detect Suspicious Telerik RadFilter Deserialization Attempt to identify attempts to exploit the deserialization vulnerability by monitoring for suspicious HTTP requests targeting the RadFilter control (Log source: webserver).
• Implement input validation and sanitization on the server-side to prevent malicious data from being deserialized.
• Monitor web server logs for unusual activity related to the RadFilter control, such as requests with abnormally large or malformed serialized data (Log source: webserver).

]]>criticaladvisorycve-2026-6023telerikdeserializationrcewebserverhttps://feed.craftedsignal.io/briefs/2026-04-telerik-resource-exhaustion/Wed, 22 Apr 2026 08:16:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-telerik-resource-exhaustion/A vulnerability exists in Progress Telerik UI for AJAX prior to 2026.1.421, RadAsyncUpload, due to missing cumulative size enforcement during chunk reassembly, which allows file uploads to exceed the configured maximum size, leading to disk space exhaustion.Progress Telerik UI for AJAX, a suite of UI components for ASP.NET AJAX, contains an uncontrolled resource consumption vulnerability within the RadAsyncUpload component. This vulnerability, identified as CVE-2026-6022, affects versions prior to 2026.1.421. The vulnerability stems from a failure to properly enforce maximum file size limits during the reassembly of file chunks uploaded via the RadAsyncUpload component. An unauthenticated attacker could exploit this vulnerability by uploading a large file in chunks, bypassing the configured maximum file size restriction. Successful exploitation leads to excessive disk space consumption on the server, potentially causing denial of service.

Attack Chain

1. The attacker identifies a web application using a vulnerable version of Progress Telerik UI for AJAX with the RadAsyncUpload component enabled.
2. The attacker crafts an HTTP request to initiate a file upload to the RadAsyncUpload endpoint.
3. The attacker splits the malicious file into multiple chunks, each smaller than the initially configured maximum upload size limit.
4. The attacker sends each chunk to the server using separate HTTP requests to the RadAsyncUpload endpoint.
5. The server receives the chunks and stores them temporarily, without enforcing the cumulative file size.
6. Once all chunks are uploaded, the RadAsyncUpload component reassembles the file.
7. Due to the missing cumulative size check, the reassembled file exceeds the maximum allowed file size.
8. The server stores the complete, oversized file, leading to disk space exhaustion.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition due to disk space exhaustion. The number of affected systems depends on the usage of the vulnerable Telerik UI for AJAX RadAsyncUpload component. Organizations in any sector using the affected Telerik component are potentially vulnerable. If successful, the attack can cause application downtime, data loss, and require administrative intervention to restore service.

Recommendation

• Upgrade Progress Telerik UI for AJAX to version 2026.1.421 or later to patch CVE-2026-6022.
• Implement server-side monitoring for excessive disk space usage in directories associated with RadAsyncUpload temporary file storage.
• Deploy the Sigma rule DetectSuspiciousRadAsyncUploadChunks to detect potential exploitation attempts.
• Review and harden file upload size limits to prevent resource exhaustion, as described in the Telerik documentation referenced.

]]>highadvisorycve-2026-6022telerikresource-exhaustion