IDS Logic is attending GITEX Global 2025 — Meet us in Dubai to discover cutting-edge digital solutions driving global business growth.
When this flaw was first identified in May 2025, Progress Software urged all customers using Telerik UI for ASP.NET AJAX to apply a patch. Since then we believed the risk had been mitigated. However, by mid-October 2025, technical details and a proof-of-concept write-up were published publicly, which significantly increases the urgency for any systems that remain unpatched.
In this article, we’ll break down what the vulnerability means, which Sitefinity versions are affected, why the recent exploit release matters, and what steps you should take right now to secure your environment.
30 April 2025
Progress received the research report and prepared a fix.
14 May 2025
Progress published the Sitefinity security advisory and CVE-2025-3600, and provided patched builds.
10–11 October 2025
Public technical analysis and an exploit payload were released by a third-party researcher (public disclosure). That makes exploitation of unpatched systems far more likely. Progress has not reported customer incidents so far, but the community disclosure increases real-world risk.
Escalate privileges
Execute arbitrary code and potentially gain control of parts of the system
Adobe has confirmed that no active exploits have been observed so far. However, the vulnerabilities remain serious and should be addressed promptly.
What is Vulnerability?
CVE-2025-3600 is an “unsafe reflection” vulnerability in the Telerik UI for ASP.NET AJAX library. In simple terms: if your site uses the affected build, an attacker can send a specially crafted request which triggers the component to make unexpected internal calls, causing the application to crash (Denial of Service). Because the component is network-reachable in many scenarios and doesn’t require user authentication, it received a High severity rating (CVSS 3.1 ~7.5).
The underlying Telerik UI versions reported vulnerability span many releases of the library. Progress made the fix available for supported Sitefinity lines; customers running Sitefinity versions 4.2 up to 15.3 were asked to upgrade where appropriate. Sitefinity Cloud (SaaS) customers are handled differently (see below).
Progress published patched Sitefinity builds that include an updated Telerik.Web.UI. If your Sitefinity instance uses any of the listed lines, upgrade to the corresponding build below:
| Vulnerable Sitefinity line | Updated | Telerik.Web.UI version (fixed) |
| 13.3.X | 13.3.7651 | 2023.3.1616.45 |
| 14.4.X | 14.4.8146 | 2023.3.1616.45 |
| 15.0.X | 15.0.8232 | 2023.3.1616.45 |
| 15.1.X | 15.1.8333 | 2023.3.1616.45 |
| 15.2.X | 15.2.8430 | 2024.3.1616.462 |
| 15.3.X | 15.3.8521 | 2024.3.1616.462 |
(These patch mappings come from Progress’ advisory and KB article — upgrade to the build that matches your line.)
Progress stated that SaaS instances will be automatically upgraded to the fixed versions, so no action is required from those customers.
Sitefinity Cloud (PaaS) customers
You must apply the update/patch through your usual patch process. Don’t assume automatic upgrade for PaaS.
When exploit code or detailed technical write-ups are publicly released, the time-to-exploit in real attacks often drops from weeks/months to days or hours. Automated scanning tools and attackers scan for these disclosed flaws aggressively. Although Progress has not reported confirmed attacks of CVE-2025-3600 yet, the public PoC means that unpatched sites now face much higher risk. Treat this as a high-priority patching event.
Progress published mitigation workarounds in the KB for customers who cannot upgrade right away. Options include:
Replace DLLs + binding redirects
Replace Telerik.Web.UI DLLs with the fixed versions and set assembly binding redirects in web.config. This helps if you can’t rebuild the app but can swap binaries.
Web.config handler/axd hardening
Restrict or remove certain handlers if they are not needed. Carefully follow the KB steps, incorrect changes can break functionality.
Temporary WAF/IPS rule
Use web application firewall signatures (vendors have started publishing protections) to block suspicious requests that match the PoC patterns until you patch. (Vendors like Check Point and others published protections after public disclosure.)
If you choose a workaround, test it thoroughly in staging before applying to production.
Confirm versions
Immediately identify which Sitefinity/Telerik.Web.UI versions your sites use. Inventory all public facing and internal instances.
Patch
Upgrade to the published builds shown above as soon as you can. If you run many sites, prioritise public-facing and customer-facing instances first.
If you can’t patch fast, apply mitigation from the KB (binding redirects or handler changes) and/or enforce WAF/IPS rules.
Test
Apply patches in staging, run functional tests and smoke tests, then deploy to production during a maintenance window.
Monitor logs
Watch web logs, IIS logs and application logs for unusual requests, spikes in 500/exception rates, or repeated attempts against the Telerik axd handlers.
Open a support case
As part of the platform hardening and service improvement process, Progress performed an infrastructure upgrade on 11 October 2025. It was communicated in advance through a planned outage window and affected certain customer portals and download services. If you depend on Progress product downloads or activations during patching, be aware of these service windows.
Some highlights:
CVE-2025-3600 was initially resolved in May 2025, so most conscientious customers may already be safe. However, the public disclosure of exploit details in October 2025 changes the game, unpatched sites now face significantly higher exposure. If you’re still running older Telerik UI builds or older Sitefinity versions, please prioritise this update now. If you need help scoping your Sitefinity estate, testing compatibility, or applying the patch safely, our team at IDS Logic can assist you with a rapid, low-risk security upgrade plan.
Need help?
If you’d like IDS Logic to review your Sitefinity estate, map affected instances, test patches in staging, or implement mitigations and monitoring, we offer fast security-focused upgrade packages. Reply here or book a technical support engagement and we’ll start with an inventory and risk assessment.
Q1: Has Progress confirmed active exploitation?
Progress had not reported customer exploitation at the time of their advisory. However, the public PoC makes exploitation more likely.
Q2: If you’re on Sitefinity Cloud SaaS, do you need to act?
No, SaaS instances are being upgraded by Progress automatically. Confirm with your account team, but no immediate action is typically required.
Q3: What if we can’t upgrade due to third-party modules?
Use the KB mitigations and WAF rules, and plan an upgrade path with your vendors. Test carefully in staging.
Q4: Are there any signs that attackers are scanning or exploiting this vulnerability yet?
As of mid-October 2025, Progress has not confirmed any active exploitation, but several threat-intelligence platforms and vulnerability scanners have already added CVE-2025-3600 detection signatures. This means automated scans targeting unpatched systems are likely underway. Even if no incidents are reported yet, assume the window for safe delay is closing fast, patching now is the safest course of action.
Q5: How can we verify if our Sitefinity deployment includes a vulnerable Telerik build?
To check whether your Sitefinity environment is at risk:
Take 30 seconds to fill out our form so that we can learn more about you and your project.
Contact Us
