A recent advisory from the Cybersecurity and Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) has revealed that a critical security flaw in Progress Telerik was exploited by multiple threat actors, including a nation-state group, to break into an unnamed federal entity in the U.S. The flaw, tracked as CVE-2019-18935, is a .NET deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX that, if left unpatched, could lead to remote code execution. This vulnerability has been exploited by various threat actors in 2020 and 2021 and, in conjunction with CVE-2017-11317, has been weaponized by a threat actor tracked as Praying Mantis (aka TG2021) to infiltrate the networks of public and private organizations in the U.S. Indicators of compromise (IoCs) associated with the digital break-in were identified from November 2022 through early January 2023. Last month, CISA also added CVE-2017-11357 – another remote code execution bug affecting Telerik UI – to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This is a critical issue that Progress Telerik users should be aware of and take steps to mitigate. For more information on CVE-2019-18935 and CVE-2017-11357, please refer to the CISA advisory.