In a concerning development, cybersecurity researchers have identified active exploitation of a known six-year-old vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX.
The flaw has become a focal point for threat actors seeking to gain remote access to Internet Information Services (IIS) servers by deploying reverse shells and leveraging privilege escalation tools.
Despite being disclosed in 2019, the persistence of this vulnerability underscores the critical need for robust patch management and system hardening practices.
The attacks, observed in January 2025 by the eSentire Threat Response Unit (TRU), involved adversaries using the IIS worker process (w3wp.exe) to load reverse shells for executing reconnaissance commands through cmd.exe.
Notably, the reverse shells, detected as mixed-mode .NET assemblies, were stored as .dll files in the C:\Windows\Temp directory.
Upon successful execution, the shells established connections to a command-and-control (C2) server, enabling attackers to execute a range of discovery actions, including enumerating system users through commands like net.exe and net1.exe.
Technical Details of Exploitation
The exploitation began with attackers probing vulnerable IIS servers using tailored HTTP requests to the Telerik file upload handler resource (Telerik.Web.UI.WebResource.axd).
IIS logs provided evidence of these interactions, with requests aiming to confirm the availability and vulnerability of the handler.
Once validated, the threat actors deployed a modified proof-of-concept exploit to upload and execute a reverse shell.
The reverse shell leveraged Windows Sockets APIs to establish communication with the C2 server at 213.136.75[.]130.
It redirected input, output, and error streams of the legitimate Windows binary cmd.exe to the attacker’s infrastructure, effectively enabling remote system control.
Additionally, investigation revealed that the attackers used open-source tools such as JuicyPotatoNG for privilege escalation, dropping executables like PingCaler.exe and JuicyPotatoNG.exe in public directories.
Mystery batch files (rdp.bat, user.bat, All.bat) were also discovered, but their specific functions remain unclear.
Mitigation
eSentire’s Incident Response team acted swiftly to isolate affected systems, reducing the risk of lateral movement and further compromise.
Organizations were advised to prioritize patching, with particular focus on internet-facing applications susceptible to exploitation.
Security teams were encouraged to assess their implementation of vulnerability management services and deploy Endpoint Detection and Response (EDR) solutions to detect anomalies at an early stage.
The case serves as a stark reminder of the ongoing risks posed by unpatched software, especially in widespread enterprise technologies.
Maintaining up-to-date systems and robust threat detection mechanisms are vital to countering the evolving tactics of adversaries.
