CVE-2024-6327: 
Telerik Report Server vulnerability analysis and mitigation

A critical remote code execution (RCE) vulnerability (CVE-2024-6327) was discovered in Progress Telerik Report Server, affecting versions prior to 2024 Q2 (10.1.24.709). The vulnerability stems from an insecure deserialization issue that could allow attackers to execute remote code (Telerik Advisory, NVD).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has received a CVSS v3.1 base score of 9.8 (Critical) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Progress Software Corporation assigned a slightly different CVSS score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow attackers to execute arbitrary code remotely on affected systems, potentially leading to complete system compromise. The high CVSS scores indicate severe potential impacts on confidentiality, integrity, and availability of the affected systems (Arctic Wolf).

The primary mitigation is to upgrade to Telerik Report Server version 10.1.24.709 or later. As a temporary workaround, organizations can change the user for the Report Server Application Pool to one with limited permissions. Progress strongly recommends performing the upgrade to the latest version as the most effective solution (Telerik Advisory).