Telerik UI for ASP.NET: the .axd handler that's still getting sites owned

Telerik UI for ASP.NET AJAX is a popular set of web controls - grids, editors, schedulers - that bolt onto .NET apps. It's been around a long time, which is the problem: a vulnerability disclosed in 2019 is still being exploited in 2026, because the affected versions are baked into apps nobody has rebuilt since.

The component that gives it away is RadAsyncUpload, Telerik's file-upload control. Every page that uses it references a handler at /Telerik.Web.UI.WebResource.axd?type=rau. That handler is served right there in the page source, so you don't need to log in or send a payload to see whether a site is running Telerik - you just read the HTML. And if the version behind it is older than 2019.3.1023, that handler is the entry point for CVE-2019-18935.

Why this one is rated critical

CVE-2019-18935 is an insecure deserialization bug in RadAsyncUpload. When the encryption key protecting the upload configuration is the default - or weak, or already leaked, which it often is for these older builds - an attacker can craft an upload that the handler deserializes into a live object, and from there run arbitrary code on the server. It's unauthenticated remote code execution, and it's serious enough that CISA put it on the Known Exploited Vulnerabilities list: confirmed, ongoing, real-world attacks, not a theoretical risk.

The reason it lingers is that Telerik is a paid, vendored component, not an npm package you bump in a dependabot PR. Upgrading means a licensed download, a rebuild, and a redeploy of a .NET app that may not have been touched in years. So the vulnerable handler keeps shipping, and scanners keep finding it.

Upgrade the control, rotate the key

The fix is to get above the version floor and make sure the upload encryption key is strong and unique.

Telerik.Web.UI 2018.1.117
<!-- default / weak encryption key, vulnerable RadAsyncUpload -->

Upgrade Telerik UI for ASP.NET AJAX to 2019.3.1023 or newer, then set a strong, unique ConfigurationEncryptionKey and ConfigurationHashKey in web.config - because even a patched version leaks if it's still running on the default key. If you can't upgrade immediately, disabling RadAsyncUpload removes the vulnerable handler as a stopgap.

Whether a stranger can tell you're on a vulnerable Telerik build is something they read straight out of your page source, which means we check it the same way. SurfaceCheckr looks for the Telerik.Web.UI.WebResource.axd?type=rau handler in the served HTML and, when it can read a version, flags the finding only when that version is below the 2019.3.1023 floor - never on a page that just mentions Telerik by name, and never by sending an upload. It reads the marker and stops. That's the check that tells you whether the control on your pages is the one attackers are still actively hunting.