Threats / Progress / CVE-2017-9248
CVE-2017-9248
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Progress ASP.NET AJAX and Sitefinity vulnerability
Progress Telerik UI for ASP.NET AJAX and Sitefinity contain a cryptographic weakness in Telerik.Web.UI.dll enabling disclosure of encryption keys, XSS attacks, ViewState compromise, and unauthorized file operations.
Verdict
Today item — known-exploited.
A cryptographic implementation flaw in Telerik.Web.UI.dll allows attackers to extract encryption keys and machine credentials, leading to session hijacking, arbitrary code execution via ViewState manipulation, and unauthorized file access on affected ASP.NET applications.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
7 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03).
Probability (EPSS)
EPSS 0.75098 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Progress, ASP.NET AJAX and Sitefinity. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-522 Insufficiently Protected Credentials — weakness family: Authentication.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I exploit the weak cryptographic implementation to extract the DialogParametersEncryptionKey or MachineKey from the application.
Business
Encryption keys are compromised, eliminating cryptographic protections for sensitive application data and session tokens.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
Using the disclosed keys, I forge or decrypt the ASP.NET ViewState to inject malicious serialized objects.
Business
Attackers gain remote code execution capability through ViewState deserialization, enabling full application compromise.
3
Lateral reach — past segmentation narrative 3
Attacker
I craft XSS payloads through the compromised encryption mechanism to execute arbitrary JavaScript in user browsers.
Business
User sessions are hijacked, credentials are stolen, and malware is distributed to application users.
4
Data at risk — exfiltration narrative 4
Attacker
I leverage the cryptographic weakness to upload malicious files or download sensitive application data.
Business
Confidential business data is exfiltrated and the server is used to host malware or launch further attacks.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05