A critical security vulnerability has been discovered in the Progress® Telerik® Report Server, potentially allowing attackers to execute remote code on affected systems. The flaw, identified as CVE-2024-6327, has been assigned a CVSS score of 9.9 out of 10, indicating its severe nature.
The vulnerability affects Progress Telerik Report Server versions before 2024 Q2 (10.1.24.709) and is classified as an insecure deserialization vulnerability (CWE-502). This flaw could enable remote attackers to execute arbitrary code on vulnerable installations, posing a significant risk to organizations using the affected software.
This vulnerability’s primary impact is the potential for remote code execution attacks. Progress Software has released an update to address this critical issue and strongly recommends that all users upgrade to Report Server version 2024 Q2 (10.1.24.709) or later. This update is currently the only comprehensive solution to remove the vulnerability.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
A temporary mitigation strategy has been provided for users who are unable to update immediately. This involves changing the user account for the Report Server Application Pool to one with limited permissions. Detailed instructions for this process are available in the Progress Telerik knowledge base.
Checking and Updating
Users can verify their current Report Server version by following these steps:
- Log into the Report Server web UI using an administrator account
- Navigate to the Configuration page (~/Configuration/Index)
- Select the About tab to view the version number
Customers with an active Telerik Report Server license can access the necessary updates through the Product Downloads section of their Telerik account.
The discovery of this vulnerability highlights the ongoing challenges in software security, particularly in widely used enterprise tools. It reminds us of the importance of regular security updates and the potential risks associated with unpatched systems.
Progress Software has emphasized the critical nature of this update, urging all customers to take immediate action to protect their systems. The company has also acknowledged Markus Wulftange with CODE WHITE GmbH for their cooperation in identifying and addressing this security issue.
As cyber threats continue to evolve, organizations must remain vigilant and prioritize timely security updates to protect their critical infrastructure and data.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo