Login Sign Up

CVE-2021-28141

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

This CVE describes a vulnerability in Progress Telerik UI for ASP.NET AJAX that allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. Attackers can potentially execute code on the server by injecting commands via the _TSM_HiddenField_ parameter. Organizations using affected versions of Telerik UI for ASP.NET AJAX are at risk.

💻 Affected Systems

Products:
  • Progress Telerik UI for ASP.NET AJAX
Versions: 2021.1.224 and potentially earlier versions
Operating Systems: Windows with ASP.NET support
Default Config Vulnerable: ⚠️ Yes
Notes: The vendor disputes this is a vulnerability, stating the output doesn't indicate true command execution or data leakage.

📦 What is this software?

Telerik Ui For Asp.net Ajax by Progress

View all CVEs affecting Telerik Ui For Asp.net Ajax →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing remote code execution, data exfiltration, and complete system control.

🟠

Likely Case

Unauthorized access to server resources and potential code execution leading to data breach or system manipulation.

🟢

If Mitigated

Limited impact with proper input validation and access controls preventing command injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation involves URI manipulation with command injection via _TSM_HiddenField_ parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not provided by vendor

Vendor Advisory: Not available - vendor disputes vulnerability

Restart Required: No

Instructions:

Upgrade to latest Telerik UI version and implement input validation controls.

🔧 Temporary Workarounds

Input Validation Filter

windows

Implement strict input validation for _TSM_HiddenField_ parameter

Implement ASP.NET request filtering for Telerik.Web.UI.WebResource.axd

Access Restriction

windows

Restrict access to Telerik.Web.UI.WebResource.axd file

Add web.config rules to limit access to authorized users only

🧯 If You Can't Patch

  • Implement WAF rules to block suspicious requests to WebResource.axd
  • Monitor and alert on access attempts to Telerik.Web.UI.WebResource.axd with unusual parameters

🔍 How to Verify

Check if Vulnerable:

Test if Telerik.Web.UI.WebResource.axd is accessible and accepts _TSM_HiddenField_ parameter with command injection

Check Version:

Check Telerik UI assembly version in web.config or bin directory

Verify Fix Applied:

Verify input validation blocks malicious _TSM_HiddenField_ parameters and access to WebResource.axd is properly restricted

📡 Detection & Monitoring

Log Indicators:

  • Requests to Telerik.Web.UI.WebResource.axd with _TSM_HiddenField_ parameter containing suspicious characters

Network Indicators:

  • Unusual traffic patterns to WebResource.axd endpoints

SIEM Query:

source="web_server" AND uri="*WebResource.axd*" AND (param="*_TSM_HiddenField_*" OR contains(param, "cmd") OR contains(param, "powershell"))

📊 Metadata

CVE ID: CVE-2021-28141
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: March 11, 2021
Last Updated: June 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28141, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)