Telerik Web UI RadAsyncUpload Deserialization
Description
Telerik UI for ASP.NET AJAX versions 2019.3.917 and earlier contain an insecure deserialization vulnerability in the RadAsyncUpload component. The component deserializes untrusted JSON data without proper validation, allowing unauthenticated attackers to execute arbitrary code remotely on the server.
Note: This detection is based on version identification. While the vulnerable code path exists in the identified version, actual exploitability depends on component configuration and deployment context.
Remediation
Immediately upgrade Telerik UI for ASP.NET AJAX to version R1 2020 (2020.1.114) or later, which addresses this deserialization vulnerability.
Remediation Steps:
1. Identify all applications using Telerik UI for ASP.NET AJAX and verify their current versions
2. Download the latest version from the Telerik website or use NuGet package manager
3. Update the Telerik.Web.UI assembly reference in your project and test thoroughly in a non-production environment
4. Deploy the updated version to production during a scheduled maintenance window
5. If immediate patching is not possible, implement the following temporary mitigations:
- Disable the RadAsyncUpload component if not required
- Restrict access to pages using RadAsyncUpload through network-level controls
- Enable custom encryption keys as documented in Telerik's security guidance
6. Monitor web server logs for suspicious file upload activity or deserialization attempts