CVE-2024-4358

What is Telerik Report Server?

Progress Telerik Report Server is a centralized reporting platform used by enterprises to create, manage, schedule, and distribute business intelligence reports. It is typically deployed as an internal Windows-based web service, accessible to authorized users over HTTP/HTTPS, and integrates with enterprise data sources including SQL Server and other databases. Telerik products — including Report Server, UI for ASP.NET, and Reporting — have a history of critical deserialization and authentication vulnerabilities and are commonly targeted by threat actors familiar with the Progress/Telerik technology stack.

Overview

CVE-2024-4358 is an authentication bypass by spoofing vulnerability in Progress Telerik Report Server that allows an unauthenticated remote attacker to create a new administrator account by abusing the initial setup/registration workflow. The registration endpoint fails to verify whether the server has already been configured, allowing a new admin to be registered at any time. With admin credentials, attackers then exploit CVE-2024-1800 (an insecure deserialization vulnerability in the same product) to achieve remote code execution, giving them full OS-level code execution on the Report Server host. CISA added it to the KEV catalog on June 13, 2024.

Affected Versions

Technical Details

CWE-290 (Authentication Bypass by Spoofing). Telerik Report Server's initial setup process exposes a registration endpoint that creates the first administrator account. This endpoint lacks a guard to verify that the server has already been initialized and an admin account already exists. An unauthenticated attacker can invoke the registration endpoint at any time — even on a fully configured production server — to register a new administrator account with an attacker-chosen username and password, bypassing all authentication requirements.

Two-CVE attack chain:

1. CVE-2024-4358 — unauthenticated registration endpoint creates a new admin account.
2. CVE-2024-1800 (insecure deserialization, patched in 2024 Q1 / 10.0.24.305) — a deserialization endpoint accessible to authenticated users allows code execution. With the admin account from step 1, this endpoint is now reachable, enabling arbitrary code execution on the Report Server host.

The chain delivers unauthenticated remote code execution on any internet-accessible Telerik Report Server that has not applied both patches.

Discovery

Discovered and reported to Progress Software, which patched CVE-2024-4358 in the May 2024 Telerik Report Server 2024 Q2 release (10.1.24.305). The relatively short 15-day gap between patch publication (May 29) and CISA KEV addition (June 13) reflects rapid exploitation.

Exploitation Context

Active exploitation was confirmed and CISA added CVE-2024-4358 to the KEV catalog on June 13, 2024. The vulnerability was attractive to threat actors familiar with the Telerik stack — the same community that exploited earlier Telerik UI and Reporting deserialization CVEs (CVE-2019-18935, CVE-2017-9248, and others). Internet-exposed Telerik Report Server instances were targeted to gain initial code execution on enterprise Windows servers, which were then used as footholds for further lateral movement.

Remediation

1. Upgrade to Telerik Report Server 2024 Q2 (10.1.24.305) or later, which patches CVE-2024-4358.
2. Also verify that CVE-2024-1800 is patched (fixed in Telerik Report Server 2024 Q1, 10.0.24.305) — both must be addressed to close the full attack chain.
3. Restrict Telerik Report Server access to trusted internal IP addresses; the application should not be internet-accessible.
4. After patching, audit user accounts for any unauthorized administrator accounts created by attackers and remove them.
5. Review Report Server access logs for unauthorized registration attempts or suspicious authenticated activity around the time window before patching.
6. Conduct a host-level compromise assessment on the Report Server host if exploitation cannot be ruled out, given the OS code execution capability via CVE-2024-1800.