CVE-2019-18935 – CVE-2019-18935 is a .NET deserialization vulner... (How to Fix)

Q: What is the severity of CVE-2019-18935?

CVE-2019-18935 has a CVSS score of 9.8 (CRITICAL). CVE-2019-18935 is a .NET deserialization vulnerability in Progress Telerik UI for ASP.NET AJAX's RadAsyncUpload function that allows remote code execution when encryption keys are known. This affects organizations using vulnerable versions of Telerik UI for ASP.NET AJAX with the RadAsyncUpload component enabled. Attackers can exploit this to execute arbitrary code on affected servers.

📋 TL;DR

CVE-2019-18935 is a .NET deserialization vulnerability in Progress Telerik UI for ASP.NET AJAX's RadAsyncUpload function that allows remote code execution when encryption keys are known. This affects organizations using vulnerable versions of Telerik UI for ASP.NET AJAX with the RadAsyncUpload component enabled. Attackers can exploit this to execute arbitrary code on affected servers.

💻 Affected Systems

Products:

Progress Telerik UI for ASP.NET AJAX

Versions: Through 2019.3.1023 (earlier versions also vulnerable)

Operating Systems: Windows with .NET Framework

Default Config Vulnerable: ⚠️ Yes

Notes: Requires RadAsyncUpload component to be enabled. In 2019.3.1023, a non-default setting can prevent exploitation. As of 2020.1.114, default setting prevents exploit.

📦 What is this software?

Ui For Asp.net Ajax by Telerik

View all CVEs affecting Ui For Asp.net Ajax →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web shell deployment, credential theft, and data manipulation.

🟢

If Mitigated

No impact if proper patching and configuration hardening are implemented.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication when vulnerable configuration exists.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit tools and scripts available. Exploitation requires knowledge of encryption keys, which can be obtained through other vulnerabilities like CVE-2017-11317 or CVE-2017-11357, or brute-forced.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.1.114 and later

Vendor Advisory: https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r3-2020-(version-2020-3-915)

Restart Required: Yes

Instructions:

1. Upgrade to Telerik UI for ASP.NET AJAX version 2020.1.114 or later. 2. Apply the update to all affected servers. 3. Restart IIS/application pools. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Disable RadAsyncUpload

all

Remove or disable the RadAsyncUpload component if not required

Remove RadAsyncUpload controls from web applications
Disable in web.config if configured

Apply non-default secure setting (2019.3.1023 only)

windows

Enable the non-default setting that prevents exploitation in version 2019.3.1023

Set Telerik.Web.UI.AsyncUploadConfiguration.EncryptionKey to a strong random value
Configure AsyncUploadSettings.MaxFileSize to restrict uploads

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to affected systems
Deploy web application firewall (WAF) with rules to block deserialization attacks and suspicious upload patterns

🔍 How to Verify

Check if Vulnerable:

Check Telerik UI version in web.config or assembly files. Look for RadAsyncUpload usage in web applications.

Check Version:

Check web.config for Telerik version or examine Telerik.Web.UI.dll file properties

Verify Fix Applied:

Verify version is 2020.1.114 or later. Test RadAsyncUpload functionality with security scanning tools.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns to RadAsyncUpload handlers
Errors in Telerik deserialization logs
Suspicious POST requests to Telerik handlers

Network Indicators:

HTTP POST requests to /Telerik.Web.UI.WebResource.axd with serialized data
Unusual outbound connections from web servers post-upload

SIEM Query:

source="web_server" AND (uri="*WebResource.axd*" OR uri="*RadAsyncUpload*" OR user_agent="*Telerik*") AND (method="POST" AND size>100000)

📊 Metadata

CVE ID: CVE-2019-18935

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: December 11, 2019

Last Updated: November 7, 2025

🔗 References

http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html Exploit,Third Party Advisory,VDB Entry
https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html Not Applicable
https://github.com/bao7uo/RAU_crypto Exploit,Third Party Advisory
https://github.com/noperator/CVE-2019-18935 Exploit,Third Party Advisory
https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui Exploit,Third Party Advisory
https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/ Press/Media Coverage
https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization Patch,Vendor Advisory
https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29 Release Notes
https://www.telerik.com/support/whats-new/release-history Release Notes,Vendor Advisory
http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html Exploit,Third Party Advisory,VDB Entry
https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html Not Applicable
https://github.com/bao7uo/RAU_crypto Exploit,Third Party Advisory
https://github.com/noperator/CVE-2019-18935 Exploit,Third Party Advisory
https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui Exploit,Third Party Advisory
https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/ Press/Media Coverage
https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization Patch,Vendor Advisory
https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29 Release Notes
https://www.telerik.com/support/whats-new/release-history Release Notes,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-18935 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18935, you might also want to check these: