CVE-2024-8048 is a vulnerability classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code, also known as unsafe reflection) affecting Progress Software's Telerik Reporting versions prior to 18.2.24.924. The vulnerability arises from insecure expression evaluation that allows an attacker to perform object injection by manipulating input that controls class or code selection during runtime. This unsafe reflection can lead to arbitrary code execution within the context of the application. The vulnerability has a CVSS 3.1 base score of 7.8, indicating high severity, with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This means the attack requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), but user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no public exploits are known at this time, the vulnerability poses a serious risk because it enables remote code execution via object injection, which could allow attackers to execute arbitrary code, compromise sensitive data, alter reports, or disrupt reporting services. The vulnerability is specifically tied to the Telerik Reporting product, widely used for generating reports in .NET applications, often in enterprise environments. The insecure expression evaluation mechanism is the root cause, where user-supplied input is not properly sanitized or validated before being used in reflection-based code execution paths. The vulnerability was reserved on 2024-08-21 and published on 2024-10-09, with no patch links currently provided, indicating that remediation may require upgrading to the fixed version 18.2.24.924 or later once available.

For European organizations, this vulnerability could have significant consequences, especially for those relying on Telerik Reporting for business intelligence, compliance reporting, or operational dashboards. Successful exploitation could lead to full system compromise, data breaches involving sensitive or regulated information, and disruption of critical reporting functions. This is particularly concerning for sectors such as finance, healthcare, government, and manufacturing, where reporting accuracy and data confidentiality are paramount. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, as insider threats or phishing attacks could facilitate exploitation. Additionally, compromised reporting servers could serve as pivot points for lateral movement within corporate networks. The high impact on confidentiality, integrity, and availability underscores the potential for severe operational and reputational damage. Organizations failing to promptly address this vulnerability may face regulatory penalties under GDPR if personal data is exposed or manipulated.

Immediate mitigation should focus on upgrading Telerik Reporting to version 18.2.24.924 or later once the patch is available. Until then, organizations should restrict access to reporting servers to trusted users only and enforce strict input validation and sanitization on all user-supplied data used in report expressions. Disable or limit the use of dynamic expressions or reflection-based features in reports where possible. Implement application whitelisting and runtime application self-protection (RASP) to detect and block suspicious code execution attempts. Conduct thorough code reviews and penetration testing focused on expression evaluation components. Monitor logs for unusual activity related to report generation or expression evaluation. Educate users about the risks of interacting with untrusted inputs in reporting tools. Finally, maintain up-to-date backups of reporting configurations and data to enable rapid recovery in case of compromise.