Description
The Telerik UI component for ASP.NET AJAX is using weak, static or publicly known encryption keys to encrypt data used by RadAsyncUpload. This may allow an attacker to upload arbitrary files, which may ultimately lead to remote code execution on the software's underlying host.
This vulnerability check combines active and passive testing methods. If the Telerik UI version is known to be vulnerable but the vulnerability could not be confirmed to be exploitable, Acunetix may decrease the alert confidence level to 80. If the target was found to be vulnerable and exploitable, the confidence level will be displayed as 100 (verified), even if the Telerik UI version was not previously known to be vulnerable.
Remediation
Upgrade to the latest version, follow the guidance in the RadAsyncUpload Security Guide (https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security), and set all encryption keys.