Is CVE-2017-11317 exploitable?

Yes — CVE-2017-11317 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it is confirmed exploited in the wild.

Is CVE-2017-11317 a false positive?

No practitioners have marked CVE-2017-11317 a false positive so far (2 verdicts).

How do I remediate CVE-2017-11317?

Practitioners have shared remediation steps for CVE-2017-11317 — see the remediation notes on this page.

CVE-2017-11317

is CVE-2017-11317real, exploitable, or a false positive? Here's the community ground truth.

☆ Watch

Critical · CVSS 9.8EPSS 83.5%CISA KEVCWE-326

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

References

NVD MITRE CVE.org CISA KEV

Published Aug 23, 2017

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2017-11317/badge.svg)](https://www.truepositive.app/cve/CVE-2017-11317)

HTML

<a href="https://www.truepositive.app/cve/CVE-2017-11317"><img src="https://www.truepositive.app/cve/CVE-2017-11317/badge.svg" alt="TruePositive verdict for CVE-2017-11317"></a>

Live badge — updates automatically as the community verdict changes.

Community ground truth

Community verdict

2 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

Pick your verdict — we'll save it right after a quick sign-in.

Community real-world severity: Critical (Critical 2) — CVSS base score 9.8

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Tomáš NovákCurated
Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability — Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX allows remote attackers to perform arbitrary file uploads or execute arbitrary code. Listed in the CISA KEV catalog (added 2022-04-11) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~83%. Treat it as real and prioritize remediation over triage.
0
Remediation · Lin WeiCurated
Required action for Telerik User Interface (UI) for ASP.NET AJAX: Apply updates per vendor instructions. CISA set a federal remediation due date of 2022-05-02. After patching, verify the vulnerable path is no longer reachable before closing the finding.

Same weakness — CWE-326.

CVE-2017-11317

Community ground truth

Field notes & remediation

Related CVEs