CVE-2024-7292
📋 TL;DR
This vulnerability allows attackers to perform credential stuffing attacks against Progress Telerik Report Server by bypassing login attempt restrictions. Attackers can systematically test stolen credentials to gain unauthorized access. Organizations using affected versions of Telerik Report Server are at risk.
💻 Affected Systems
- Progress Telerik Report Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Report Server with administrative access, leading to data exfiltration, report manipulation, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to sensitive reports and data stored in the Report Server, potentially exposing confidential business information.
If Mitigated
Limited impact with proper monitoring and alerting on failed login attempts, though some credential testing may still occur.
🎯 Exploit Status
Credential stuffing attacks are well-understood and automated tools exist. No authentication is required to attempt exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 Q3 (10.2.24.806) or later
Vendor Advisory: https://docs.telerik.com/report-server/knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292
Restart Required: Yes
Instructions:
1. Download the latest version (2024 Q3 or later) from the Telerik website. 2. Backup your current installation and configuration. 3. Run the installer to upgrade. 4. Restart the Report Server service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Implement Rate Limiting at Network Level
allUse network appliances or web application firewalls to limit login attempts per IP address
Enable Multi-Factor Authentication
allAdd an additional authentication factor to prevent credential stuffing success
🧯 If You Can't Patch
- Implement network segmentation to isolate the Report Server from internet access
- Deploy a web application firewall with rate limiting rules for login endpoints
🔍 How to Verify
Check if Vulnerable:
Check the Report Server version in the administration interface or via the installed files. Versions below 10.2.24.806 are vulnerable.Check Version:
Check the Telerik Report Server administration dashboard or examine the installation directory for version information.Verify Fix Applied:
Confirm the version is 10.2.24.806 or higher in the administration interface. Test that login attempts are now properly rate-limited.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from single IP addresses
- Unusual login patterns outside business hours
- Successful logins from previously unknown IPs
Network Indicators:
- High volume of POST requests to /Account/Login endpoint
- Traffic patterns consistent with automated credential testing tools
SIEM Query:
source="telerik-report-server" AND (event="login_failed" AND count > 10 within 5 minutes) OR (event="login_successful" AND src_ip NOT IN allowed_ips)