CVE-2021-27852

CVSS 9.8 CRITICALEPSS 31.9%● KEVCWE-502

Vexday Risk Score

70High priority

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.8EPSS 31.9%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

27 May 2021Published on NVD

11 Apr 2022Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

Checkbox Survey versions before 7 contain a critical flaw that allows attackers to run malicious code on the server without needing to log in. The vulnerability exists in how the software handles untrusted data, making it an urgent security risk.

Technical detail

CVE-2021-27852 is an unsafe deserialization vulnerability (CWE-502) in CheckboxWeb.dll that allows unauthenticated remote code execution. Attackers can send malicious serialized objects that execute arbitrary code when deserialized by the application. This affects all Checkbox Survey versions prior to 7, with no authentication required.

Summary generated and translated by AI from the official description.

Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. This issue affects: Checkbox Survey versions prior to 7.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Checkbox · Survey

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27852 https://www.kb.cert.org/vuls/id/706695