Progress Software is urging users to update their Telerik Report Server instances following the discovery of a critical security flaw that could lead to remote code execution.
This vulnerability is CVE-2024-6327 (CVSS score: 9.9), affects Report Server versions 2024 Q2 (10.1.24.514) and earlier.
“Progress Telerik Report Server versions prior to Q2 2024 (10.1.24.709) may be susceptible to remote code execution attacks due to an insecure deserialization vulnerability,” the company said in its advisory.
Deserialization flaws occur when an application reconstructs untrusted attacker-controlled data without proper validation, leading to unauthorized commands being executed.
Progress Software states that the flaw has been fixed in version 10.1.24.709. As a temporary mitigation, we recommend changing the report server application pool user to a user with limited permissions.
Administrators can determine if their servers are vulnerable to attacks by taking the following steps:
- Go to your report server Web UI and log in using an account that has administrator privileges.
- Open the configuration page (~/Configuration/Index).
- Select the “Version Info” tab and the version number will be displayed in the right pane.
The disclosure comes nearly two months after the company fixed another critical flaw in the same software (CVE-2024-4358, CVSS score: 9.8) that could be exploited by remote attackers to bypass authentication and create rogue admin users.
