Hackers Exploiting a Six-year-old IIS Vulnerability to Gain Remote Access

In a concerning revelation, cybersecurity firm eSentire’s Threat Response Unit (TRU) has detected active exploitation of a six-year-old vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX.

This flaw, which affects Internet Information Services (IIS) servers, enables malicious actors to gain unauthorized remote access and execute commands, posing a significant threat to unpatched systems.

The vulnerability remains a critical attack vector despite its age, underscoring the persistent challenge of legacy vulnerabilities in enterprise environments.

Attack Methodology

The exploitation process begins with threat actors probing IIS servers for an active file upload handler.

Once confirmed, they deploy a customized proof-of-concept (PoC) exploit to upload a reverse shell.

The reverse shell is a mixed-mode .NET assembly designed to establish a connection with a command-and-control (C2) server using Windows Sockets.

Upon gaining access, adversaries escalate their activities by executing reconnaissance commands, enumerating users, and leveraging tools like “cmd.exe” within the IIS worker process (w3wp.exe).

The reverse shells are often deposited in temporary directories with filenames resembling randomized numerical patterns, e.g., [10 digits].[6 digits].dll.

Additionally, attackers are deploying the JuicyPotatoNG privilege escalation tool under misleading file names like “PingCaler.exe” and “JuicyPotatoNG.exe” in public directories.

Batch scripts such as “rdp.bat” and “user.bat” have also been observed, though their specific functionalities remain unclear.

eSentire’s TRU identified these attacks in early January 2025 through suspicious activity logs within IIS servers.

For instance, IIS access logs displayed requests to vulnerable endpoints (Telerik.Web.UI.WebResource.axd) with specific query parameters, signaling exploitation attempts. Upon detection, the cybersecurity firm’s.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!