What is Checkbox Survey?
Checkbox Survey is an ASP.NET web application used by enterprises and government agencies to create, distribute, and analyze online surveys and forms. Checkbox Survey is deployed on internal web servers and intranets to collect employee feedback, conduct compliance assessments, and process structured data submissions. Version 6 and earlier of Checkbox Survey reached end-of-life status and no longer receive security updates. Version 7 was a substantial rewrite that resolved the underlying architectural issues. Government agencies deploying Checkbox Survey v6 represent a particular risk as their survey platforms may collect sensitive data from employees and the public.
Overview
CVE-2021-27852 is a pre-authentication .NET deserialization remote code execution vulnerability (CWE-502) in CheckboxWeb.dll, the core ASP.NET assembly of Checkbox Survey version 6 and earlier. The application deserializes attacker-supplied data without adequate type validation or safe deserialization controls, allowing an unauthenticated attacker to send a crafted serialized .NET object that triggers arbitrary code execution on the web server when deserialized. Because version 7 is a complete architectural rewrite, the CISA required action is unique: agencies must remove version 6 from their networks rather than apply a patch (no patch exists for the EOL version). Version 7 is not affected by this vulnerability.
Affected Versions
| Product | Status | Action |
|---|---|---|
| Checkbox Survey 6.x and earlier | EOL — Vulnerable | Remove from networks; no patch available |
| Checkbox Survey 7.x | Not vulnerable | No action required |
Technical Details
Checkbox Survey v6 uses ASP.NET's binary serialization (BinaryFormatter or equivalent) to process survey data and configuration objects. The CheckboxWeb.dll assembly exposes endpoints that accept serialized .NET objects without restricting which types can be deserialized:
- Root cause: Insecure deserialization (CWE-502) —
CheckboxWeb.dlluses unsafe .NET deserialization that processes attacker-supplied serialized objects without type filtering or allowlisting - Attack mechanism: Attacker crafts a malicious serialized .NET object using a gadget chain compatible with the Checkbox Survey application's loaded assemblies, targeting common .NET deserialization gadgets (TypeConfuseDelegate, ObjectDataProvider, etc.)
- Authentication required: None — the vulnerable deserialization endpoint is accessible before authentication
- Execution context: Code executes in the context of the ASP.NET application pool account (typically NETWORK SERVICE or a configured service account)
- No patch path: Because version 6 is EOL, Checkbox has not released a patch. Organizations must upgrade to version 7 (a separate migration, not an in-place patch) or remove the application entirely
Discovery
Identified by security researchers auditing ASP.NET web applications for .NET deserialization vulnerabilities. The vulnerability reflects a common pattern in older .NET web applications that relied on BinaryFormatter for session state and object serialization — a practice deprecated by Microsoft due to its inherent insecurity.
Exploitation Context
Checkbox Survey is widely deployed in US government agency intranets and enterprise environments for forms and data collection. The CISA KEV addition in April 2022 reflects confirmed exploitation in government environments approximately one year after CVE publication. Because Checkbox Survey v6 is an EOL product, organizations that delayed upgrading to v7 remained exposed indefinitely. The combination of a pre-auth RCE and deployment in high-value government networks makes this vulnerability significant despite lacking broad public coverage compared to more prominent 2021 vulnerabilities.
Remediation
- Remove Checkbox Survey version 6 and earlier from all networks immediately — per CISA's required action, this is an EOL product that cannot be patched
- Inventory all web servers for Checkbox Survey v6 deployments, including intranet and internal-only installations
- Upgrade to Checkbox Survey 7 or later — note that version 7 is a significant rewrite and migration requires data export/import from v6
- If immediate removal is not feasible, restrict web access to the Checkbox Survey application to internal-only IPs and apply WAF rules blocking serialized .NET object submissions (base64-encoded AAEAAAD patterns)
- Review web server logs for POST requests to Checkbox Survey endpoints containing serialized data from unexpected sources
- After removal, audit the web server for webshells or persistence artifacts that may have been installed through prior exploitation
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-27852 |
| Vendor / Product | Checkbox — Checkbox Survey |
| NVD Published | 2021-05-27 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-502 find similar ↗ |
| CISA KEV Added | 2022-04-11 |
| CISA KEV Deadline | 2022-05-02 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-05-27 | CVE published |
| 2021-06 | Proof-of-concept deserialization exploits published |
| 2022-04-11 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-02 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Checkbox Survey Version 6 End-of-Life Notice | Vendor Advisory |
| NVD — CVE-2021-27852 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |