CVE-2025-0556: 
Telerik Report Server vulnerability analysis and mitigation

CVE-2025-0556 affects Progress® Telerik® Report Server versions prior to 2025 Q1 (11.0.25.211). The vulnerability was discovered in February 2025 and specifically impacts installations using the older .NET Framework implementation. The issue involves cleartext transmission of non-sensitive information between the service agent process and app host process (Telerik Docs).

The vulnerability is classified as CWE-319 (Cleartext Transmission of Sensitive Information) with a CVSS v3.1 score of 8.8 HIGH. The issue specifically pertains to the communication between the background agent service and the main application, where data is transmitted over an unencrypted tunnel. This vulnerability only affects the older .NET Framework implementation of Report Server on IIS, while the new .NET implementation is not affected (Telerik Docs).

While the CVSS score is in the high range due to the network vector, the actual impact is limited. The vulnerable communication only involves non-sensitive information related to commands between the background agent service and the main application. The traffic does not expose sensitive customer data. In default installations, where the service agent and main app are on the same system, the risk is further minimized as they do not communicate across remote networks (Telerik Docs).

The recommended mitigation is to upgrade to Telerik Report Server version 2025 Q1 (11.0.25.211) or later. Users can verify their current version by logging into the Report Server web UI with administrator rights, accessing the Configuration page, and checking the version number in the About tab (Telerik Docs).