A critical vulnerability has been discovered in Progress Telerik Report Server, a popular report management solution used by organizations worldwide.
This vulnerability tracked as CVE-2024-4358, with a CVSS score of 9.8, could allow unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to sensitive report data and server functionality.
This vulnerability can be exploited by an attacker who can bypass the authentication mechanism on an IIS server hosting the Report Server. The vulnerability poses significant risks, including unauthorized access to sensitive data and the potential for further exploitation within an organization’s network. Users are urged to review their Report Server’s user list for any new local users that were not added intentionally. This can be done by navigating to {host}/Users/Index.
The affected versions include Telerik Report Server version 2024 Q1 (10.0.24.305) and earlier. The only effective remediation for this vulnerability is to update to Telerik Report Server version 2024 Q2 (10.1.24.514) or later.
Organizations utilizing the Progress Telerik Report Server must prioritize this update to safeguard against potential attacks. Staying proactive in applying security patches and reviewing user access lists are essential steps in maintaining a secure and resilient IT environment.
