A newly disclosed vulnerability in Progress Telerik UI for ASP.NET AJAX could enable attackers to crash or potentially execute malicious code on millions of enterprise applications worldwide, security researchers have warned.
CVE-2025-3600, initially classified as a denial-of-service (DoS) vulnerability, affects Telerik UI versions from 2011.2.712 through 2025.1.218—a 14-year span that encompasses countless deployments. The flaw stems from unsafe reflection in the library's image editor cache handler, allowing attackers to instantiate arbitrary .NET classes through a simple HTTP request.
"This vulnerability may be higher [in severity], depending on the targeted codebase and available classes," researchers at watchTowr Labs explained in their analysis. The team demonstrated that while every affected application can be crashed with a single unauthenticated request, the real danger lies in chaining this flaw with other vulnerabilities.
The researchers proved this by combining CVE-2025-3600 with another vulnerability to achieve pre-authentication remote code execution on Sitecore Experience Platform CMS. The attack exploits insecure assembly resolvers (code that loads external libraries) present in target applications, allowing attackers to load malicious DLLs and gain complete system control.
Telerik UI for ASP.NET AJAX powers enterprise solutions across major corporations, government agencies, and SaaS platforms. A basic internet scan reveals approximately 185,000 publicly exposed instances, though researchers believe the actual number is significantly higher since many implementations don't advertise their presence.
The vulnerability is trivially exploitable—attackers need only send a GET request to a standard Telerik endpoint with specially crafted parameters. Progress has released patches, but real-world adoption remains slow months after disclosure.
Organisations using Telerik UI should immediately verify their installation by checking for the /Telerik.Web.UI.WebResource.axd handler and update to the latest patched version. System administrators should also review their web.config files and consider implementing additional monitoring for suspicious instantiation attempts.
The incident underscores a broader challenge: widely used libraries often receive less security scrutiny than standalone applications, yet vulnerabilities in these components can cascade across entire ecosystems.