CVE-2019-18935 Progress CVE debrief

Who should care

Organizations that use Progress Telerik UI for ASP.NET AJAX, especially teams managing public-facing web applications, application security, vulnerability management, and incident response.

Technical summary

The issue is described as a deserialization of untrusted data vulnerability in Progress Telerik UI for ASP.NET AJAX. Unsafe deserialization flaws can create serious application-compromise risk when an attacker can influence the data being processed. The supplied sources do not include a CVSS score or vendor fix details, but CISA’s KEV listing confirms active exploitation and assigns remediation urgency.

Defensive priority

High. CISA has already cataloged this CVE as known exploited and notes known ransomware campaign use, so affected environments should treat it as an urgent remediation item.

Recommended defensive actions

• Identify whether Progress Telerik UI for ASP.NET AJAX is deployed anywhere in your environment.
• Prioritize patching or upgrading according to vendor instructions.
• Focus first on internet-facing applications and externally reachable systems that use the affected component.
• Validate whether compensating controls, detection, and monitoring are in place until remediation is complete.
• Search for signs of compromise on systems that exposed the vulnerable component, especially where the application is externally accessible.

Evidence notes

The debrief is based only on the supplied CVE record, the CISA Known Exploited Vulnerabilities entry, and the official CVE/NVD resource links provided. The source corpus identifies the product, vulnerability class, KEV status, date added to KEV, due date, and known ransomware campaign use. No CVSS score or vendor remediation version was included in the supplied data, so those details are not asserted here.

Official resources