Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG

SUMMARY :

In early January 2025, a threat actor was observed exploiting CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX. The attacker used the IIS worker process to load a reverse shell and execute reconnaissance commands. The infection process involved confirming the availability of the file upload handler and exploiting the vulnerability to upload and execute a remote shell. The reverse shell, a mixed-mode .NET assembly, connected to a C2 server and redirected cmd.exe input/output to the attacker. Post-exploitation activities included user enumeration and the deployment of the JuicyPotatoNG privilege escalation tool. The attack highlights the continued exploitation of older vulnerabilities and emphasizes the importance of timely patching and robust security measures.

OPENCTI LABELS :

juicypotatong,privilege escalation,iis,cve-2019-18935


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG