Remote code execution in HPE Performance Center

Published: 2018-02-13 | Updated: 2023-01-26
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-11357
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
HP Performance Center
Other software / Other software solutions

Vendor Hewlett Packard Enterprise Development LP

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Improper security restrictions


Risk: High


CVE-ID: CVE-2017-11357


Exploit availability:


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in Progress Telerik User Interface (UI) for ASP.NET AJAX due to use of user-supplied input by RadAsyncUpload without modification or validation. A remote attacker can upload arbitrary files and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.


Update to version 12.55.

Vulnerable software versions

HP Performance Center: 11.52 - 12.53

Fixed software versions

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?