Cyber Security News

Hackers Exploiting a Six-year-old IIS Vulnerability to Gain Remote Access

In a concerning revelation, cybersecurity firm eSentire’s Threat Response Unit (TRU) has detected active exploitation of a six-year-old vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX.

This flaw, which affects Internet Information Services (IIS) servers, enables malicious actors to gain unauthorized remote access and execute commands, posing a significant threat to unpatched systems.

The vulnerability remains a critical attack vector despite its age, underscoring the persistent challenge of legacy vulnerabilities in enterprise environments.

Attack Methodology

The exploitation process begins with threat actors probing IIS servers for an active file upload handler.

Once confirmed, they deploy a customized proof-of-concept (PoC) exploit to upload a reverse shell.

IIS vulnerabilityIIS vulnerability
Decompiled reverse shell

The reverse shell is a mixed-mode .NET assembly designed to establish a connection with a command-and-control (C2) server using Windows Sockets.

Upon gaining access, adversaries escalate their activities by executing reconnaissance commands, enumerating users, and leveraging tools like “cmd.exe” within the IIS worker process (w3wp.exe).

The reverse shells are often deposited in temporary directories with filenames resembling randomized numerical patterns, e.g., [10 digits].[6 digits].dll.

Additionally, attackers are deploying the JuicyPotatoNG privilege escalation tool under misleading file names like “PingCaler.exe” and “JuicyPotatoNG.exe” in public directories.

Batch scripts such as “rdp.bat” and “user.bat” have also been observed, though their specific functionalities remain unclear.

eSentire’s TRU identified these attacks in early January 2025 through suspicious activity logs within IIS servers.

For instance, IIS access logs displayed requests to vulnerable endpoints (Telerik.Web.UI.WebResource.axd) with specific query parameters, signaling exploitation attempts. Upon detection, the cybersecurity firm’s.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later this…

58 seconds ago

Europol Dismantles DDoS-for-Hire Network and Arrests Four Administrators

Significant blow to cybercriminal infrastructure, Europol has coordinated an international operation resulting in the arrest…

9 minutes ago

Play Ransomware Deployed in the Wild Exploiting Windows 0-Day Vulnerability

Patched Windows zero-day vulnerability (CVE-2025-29824) in the Common Log File System (CLFS) driver was exploited…

11 minutes ago

New Advanced Phishing Attack Exploits Discord to Target Crypto Users

Check Point Research has uncovered a sophisticated phishing campaign that leverages Discord to target cryptocurrency…

24 minutes ago

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem for…

56 minutes ago

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs, which…

1 hour ago