External risk intelligence

Telerik UI flaw lets attackers take control of your servers

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-6023

Progress Telerik UI for AJAX has a critical flaw allowing attackers to run malicious code on your servers by tricking a web component into processing bad data. This could impact internet-facing applications.

4Halo Surface Signal

Deserialization

Progress Telerik Ui For Asp Net Ajax

2024.4.1114 to before 2026.1.421

External exposure likelihood

Halo Surface Signal score for CVE-2026-6023

This vulnerability affects a UI component library used within web applications. Because these applications are commonly deployed as public-facing websites, portals, or web services, the vulnerable control is frequently reachable from the internet in standard production environments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in Progress Telerik UI for AJAX that allows attackers to execute arbitrary code on the server. This occurs when the RadFilter control improperly handles its state, making it susceptible to tampering if exposed to clients. This issue warrants immediate attention due to the potential for significant server-side compromise.

  • Remote code execution is possible.
  • Affects web applications using the control.
  • Reachable from the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can achieve remote code execution by manipulating the filter state of the Telerik UI for AJAX control. This state, if exposed client-side, can be tampered with and then sent back to the server, triggering insecure deserialization. Successful exploitation would allow an attacker to run arbitrary code on the affected server.

  • No authentication required.
  • Target: RadFilter control's client-side state.
  • State exposure to client is key.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk due to its remote code execution capabilities without requiring user interaction or prior privileges, affecting a widely used UI component. Attackers are likely to target this because it allows for direct server compromise through a network-accessible vulnerability in a common web application component.

  • No authentication required for exploitation.
  • No user interaction needed.
  • Public exploit availability is unknown.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize blocking access to the RadFilter control and investigating which services use Telerik UI for AJAX, as unpatched versions allow unauthenticated remote code execution. Review logs for signs of the deserialization vulnerability being exploited, focusing on requests where filter state might be manipulated.

  • Isolate or disable Telerik UI if patching is delayed.
  • Block network access to RadFilter.
  • Monitor for exploit indicators.

Frequently asked questions

What is Progress Telerik UI for AJAX?

Progress Telerik UI for AJAX is a suite of components developers use to build interactive web applications. It provides UI elements like grids and editors to enhance website functionality and user experience.

What is CVE-2026-6023 and its weakness class?

CVE-2026-6023 is a critical vulnerability in Progress Telerik UI for AJAX. It is classified as insecure deserialization (CWE-502), allowing potential server-side code execution if an attacker tampers with exposed filter state.

How can CVE-2026-6023 be exploited?

An unauthenticated attacker can exploit CVE-2026-6023 by tampering with the client-side state of the RadFilter control. When this state is improperly deserialized on the server, it can lead to remote code execution.

What is the relevance of CVE-2026-6023?

This vulnerability is highly relevant because it allows for unauthenticated remote code execution on servers using affected versions of Telerik UI for AJAX. The component's common use in web applications increases the potential attack surface.

What action should be taken for CVE-2026-6023?

To address CVE-2026-6023, teams should prioritize patching affected Progress Telerik UI for AJAX versions. If immediate patching isn't possible, consider isolating or disabling the RadFilter control and blocking network access to it while monitoring for exploitation attempts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified