Hackers Exploiting a Six-year-old IIS Vulnerability to Gain Remote Access

In a concerning revelation, cybersecurity firm eSentire’s Threat Response Unit (TRU) has detected active exploitation of a six-year-old vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX.

This flaw, which affects Internet Information Services (IIS) servers, enables malicious actors to gain unauthorized remote access and execute commands, posing a significant threat to unpatched systems.

The vulnerability remains a critical attack vector despite its age, underscoring the persistent challenge of legacy vulnerabilities in enterprise environments.

Attack Methodology

The exploitation process begins with threat actors probing IIS servers for an active file upload handler.

Once confirmed, they deploy a customized proof-of-concept (PoC) exploit to upload a reverse shell.

The reverse shell is a mixed-mode .NET assembly designed to establish a connection with a command-and-control (C2) server using Windows Sockets.

Upon gaining access, adversaries escalate their activities by executing reconnaissance commands, enumerating users, and leveraging tools like “cmd ...