New to Telerik Report Server? Download free 30-day trial

Service Agent Communication Vulnerability (0556)

Description

Product Alert – February 2025 - CVE-2025-0556

  • Telerik Report Server 2024 Q4 (10.3.24.1218) or earlier.

Issue

CWE-319 Cleartext Transmission of Sensitive Information

What Are the Impacts

In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using only the older .NET Framework implementation, communication of non-sensitive information between the service agent process and app host process occurs over an unencrypted tunnel, which can subjected to local network traffic sniffing.

This traffic does not affect sensitive customer data; it only pertains to the commands sent between the background agent service and the main application. Although the score is in the high range because of the network vector, the exploitability of this is very low. If you have performed the default install of Report Server, the service agent and the main app are on the same system and do not communicate across remote networks.

Solution

We have addressed the issue and the Progress Telerik team recommends performing an upgrade to the version listed in the table below.

Current Version Guidance
2024 Q4 (10.3.24.1218) or earlier Update to 2025 Q1 (11.0.25.211) (update instructions)

All customers who have a Telerik Report Server license can access the downloads here Product Downloads | Your Account.

Notes

  • If you are using the new .NET implementation, it is not affected. This is only relevant for the older .NET Framework implementation of Report Server on IIS.
  • You can check what version you are running by:
    1. Go to your Report Server web UI and log in using an account with administrator rights.
    2. Open the Configuration page (~/Configuration/Index).
    3. Select the About tab, the version number is displayed in the pane on the right.
  • If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.

External References

CVE-2025-0556 (HIGH)

CVSS: 8.8

In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the old .NET Framework implementation, communication of non-sensitive information between the service agent process and app host process occurs over an unencrypted tunnel, which can subjected to local network traffic sniffing.

In this article
Related articles
Not finding the help you need? Improve this article