Growth Instrument has rolled out updates to handle a important safety flaw impacting the Telerik File Server that may be probably exploited by way of a far flung attacker to circumvent authentication and create rogue administrator customers.
The problem, tracked as CVE-2024-4358, carries a CVSS rating of 9.8 out of a most of 10.0.
“In Growth Telerik File Server, model 2024 Q1 (10.0.24.305) or previous, on IIS, an unauthenticated attacker can achieve get admission to to Telerik File Server limited capability by means of an authentication bypass vulnerability,” the corporate stated in an advisory.
The lack has been addressed in File Server 2024 Q2 (10.1.24.514). Sina Kheirkhah of Summoning Crew, who’s credited with finding and reporting the flaw, described it as a “quite simple” worm that may be exploited by way of a “far flung unauthenticated attacker to create an administrator consumer and login.”
But even so updating to the most recent model, Growth Instrument is urging shoppers to study their File Server’s customers record for the presence of any new Native customers that they will have no longer added.
As brief workarounds till the patches may also be carried out, customers are being requested to enforce a URL Rewrite mitigation method to take away the assault floor within the Web Data Services and products (IIS) server.
The advance arrives just a little over a month after Growth remediated some other high-severity flaw impacting the Telerik File Server (CVE-2024-1800, CVSS rating: 8.8) that calls for an authenticated far flung attacker to execute arbitrary code on affected installations.
In a hypothetical assault state of affairs, a malicious actor may just model CVE-2024-4358 and CVE-2024-1800 into an exploit chain with a purpose to sidestep authentication and execute arbitrary code with increased privileges.
With vulnerabilities in Telerik servers actively exploited by way of danger actors prior to now, it is crucial that customers take steps to replace to the most recent model once imaginable to mitigate doable threats.