In early January 2025, a threat actor was observed exploiting CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX. The attacker used the IIS worker process to load a reverse shell and execute reconnaissance commands. The infection process involved confirming the availability of the file upload handler and exploiting the vulnerability to upload and execute a remote shell. The reverse shell, a mixed-mode .NET assembly, connected to a C2 server and redirected cmd.exe input/output to the attacker. Post-exploitation activities included user enumeration and the deployment of the JuicyPotatoNG privilege escalation tool. The attack highlights the continued exploitation of older vulnerabilities and emphasizes the importance of timely patching and robust security measures.