Progress Telerik Report Server Unencrypted Communication Vulnerability Allowing Local Traffic Sniffing

A vulnerability exists in Progress Telerik Report Server versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framework implementation. This vulnerability allows for the transmission of non-sensitive information between the service agent process and the app host process over an unencrypted channel, which can be intercepted by local network traffic sniffing. The affected communication does not involve sensitive customer data but relates to commands exchanged between the background agent service and the main application. In default installations, both processes run on the same system and do not communicate over remote networks.

Impact

Exploitation of this vulnerability could lead to local network traffic sniffing, allowing interception of non-sensitive information commands between the service agent process and the app host process.

Remediation

Users are advised to upgrade to Progress Telerik Report Server version 2025 Q1 (11.0.25.211). Instructions for upgrading are available in the Report Server Implementer Guide. Customers with a Telerik Report Server license can access the updated version through the Telerik Product Downloads page.