CVE-2023-29492
published 2023-04-11CVE-2023-29492: Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-05-04
Exploited in the wild
EPSS
2.69%
84.0th percentile
Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3rdmill | novi_survey | < 8.9.43676 | 8.9.43676 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is insecure deserialization in Novi Survey before version 8.9.43676, enabling remote code execution as the service account — monitor for anomalous process spawning from the Novi Survey service process ↗
- →Exploitation vector is remote and unauthenticated deserialization — inspect inbound HTTP requests to Novi Survey endpoints for serialized object payloads (e.g., binary or base64-encoded .NET/Java serialization magic bytes) ↗
- ·Successful exploitation does NOT expose stored survey or response data — scope of impact is limited to service account code execution on the host ↗
- ·Vendor advisory and patch details are referenced at the Novi Survey blog; apply updates per vendor instructions targeting versions 8.9.43676 and later ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6p4p-p9hh-3hq7: Novi Survey before 8
ghsa_unreviewed·2023-04-11
CVE-2023-29492 [CRITICAL] CWE-94 GHSA-6p4p-p9hh-3hq7: Novi Survey before 8
Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data.
VulnCheck
Novi Survey Insecure Deserialization Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-29492 [CRITICAL] CWE-94 Novi Survey Insecure Deserialization Vulnerability
Novi Survey Insecure Deserialization Vulnerability
Novi Survey contains an insecure deserialization vulnerability that allows remote attackers to execute code on the server in the context of the service account.
Affected: Novi Survey Novi Survey
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cisa.gov/sites/default/files/2024-11/aa24-317a-2023-top-routinely-exploited-vulnerabilities.pdf; https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/2023-top-routinely-exploited-vulnerabilities
Remediation Due: 2023-05-04
CISA
Novi Survey Insecure Deserialization Vulnerability
cisa·2023-04-13·CVSS 9.8
CVE-2023-29492 [CRITICAL] CWE-94 Novi Survey Insecure Deserialization Vulnerability
Vulnerability: Novi Survey Insecure Deserialization Vulnerability
Affected: Novi Survey Novi Survey
Novi Survey contains an insecure deserialization vulnerability that allows remote attackers to execute code on the server in the context of the service account.
Required Action: Apply updates per vendor instructions.
Notes: https://novisurvey.net/blog/novi-survey-security-advisory-apr-2023.aspx; https://nvd.nist.gov/vuln/detail/CVE-2023-29492
Remediation Due Date: 2023-05-04
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-04-11
Published
2023-04-13
Added to CISA KEV
Exploited in the wild