Listen to this Post
2025-02-04
The persistence of outdated vulnerabilities continues to be a critical issue in cybersecurity. One such case involves the exploitation of a six-year-old flaw, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX. Despite being disclosed back in 2019, this vulnerability remains a target for cybercriminals seeking unauthorized access to systems. The flaw, which impacts Internet Information Services (IIS) servers, is being actively exploited by threat actors deploying reverse shells and privilege escalation tools. This article delves into the latest findings of this ongoing exploit, its technical details, and the necessary actions to mitigate such risks.
Summary
A serious flaw, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX is being actively exploited in 2025, six years after its initial disclosure. Cyber attackers have been using this vulnerability to gain remote access to Internet Information Services (IIS) servers, deploying reverse shells and escalating privileges. The attackers leverage the IIS worker process (w3wp.exe) to execute commands through cmd.exe, and store reverse shells in the C:\Windows\Temp directory as .dll files. These shells connect to command-and-control servers, allowing attackers to enumerate system users and execute reconnaissance commands.
The attackers initially probe vulnerable IIS servers through HTTP requests targeting the Telerik file upload handler. Upon exploiting the vulnerability, they upload and execute reverse shells, establishing communication with the attackers’ infrastructure. Tools like JuicyPotatoNG were used for privilege escalation, with executable files being dropped in public directories. Mystery batch files were also found, though their exact function remains unknown.
eSentire’s response team took action to isolate compromised systems, advising organizations to patch vulnerable systems and enhance security through endpoint detection and response (EDR) solutions. This ongoing exploitation underscores the critical importance of timely patching and robust vulnerability management practices.
What Undercode Say:
The exploitation of CVE-2019-18935 serves as a stark reminder that even well-known vulnerabilities can remain a threat if they are not addressed. This particular flaw, which was disclosed in 2019, continues to pose a significant risk because many organizations have not implemented the necessary patches. The fact that attackers are actively exploiting this vulnerability in 2025 highlights a common issue in cybersecurity—failure to prioritize and deploy critical updates.
One of the most alarming aspects of this attack is the method in which the vulnerability is being exploited. Attackers are using reverse shells to maintain persistence on compromised systems and to escalate privileges using open-source tools like JuicyPotatoNG. These tools are not new, yet they are still effective in bypassing security mechanisms. This suggests a gap in basic security hygiene among organizations that leave such exploits unaddressed.
The use of reverse shells stored in the C:\Windows\Temp directory is particularly concerning because it indicates that attackers are taking advantage of legitimate system directories to avoid detection. By using the legitimate IIS worker process (w3wp.exe) and cmd.exe, attackers can perform reconnaissance and execute malicious commands without triggering alarms. This stealthy approach makes it difficult for traditional detection methods to identify the compromise early, emphasizing the need for advanced monitoring techniques and proactive security measures.
Moreover, the discovery of suspicious batch files, whose functions remain unclear, points to the possibility of additional attack stages that could further compromise systems or even facilitate lateral movement within the network. This raises questions about the overall security architecture of affected organizations. How well are they segmenting their networks? Are they monitoring traffic and activity in real-time? The presence of mystery files suggests that attackers may be planning future operations, and thus, organizations should treat such indicators as a sign of ongoing compromise rather than a completed attack.
The fact that this vulnerability has been exploited despite the availability of patches for years indicates a broader problem in the industry: many organizations are still operating with unpatched, outdated software. This issue is compounded by the increasing complexity of modern IT environments, where security teams are stretched thin, and patch management can become a secondary concern. In this case, the reliance on automated patching systems and vulnerability scanners is not enough. There must be a concerted effort to prioritize critical patches and to validate their deployment.
This exploit also highlights the growing sophistication of attackers. The use of command-and-control (C2) servers, combined with the deployment of tools like JuicyPotatoNG for privilege escalation, suggests that adversaries are continuously refining their methods and developing new tactics to bypass security measures. As attackers become more adept at utilizing existing vulnerabilities, it becomes essential for organizations to stay ahead of the curve by investing in threat intelligence, regularly updating their security posture, and using advanced detection mechanisms like Endpoint Detection and Response (EDR) solutions.
In conclusion, the CVE-2019-18935 exploit is not just a technical issue—it’s a wake-up call for organizations to improve their patch management processes, strengthen system monitoring, and embrace a proactive approach to cybersecurity. The persistent exploitation of this vulnerability, six years after its disclosure, underscores the need for organizations to remain vigilant and responsive to the evolving threat landscape.
References:
Reported By: https://cyberpress.org/hackers-exploit-six-year-old-iis-vulnerability/
https://www.reddit.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
