CVE-2023-29492

What is Novi Survey?

Novi Survey is a commercial web-based survey creation and management platform used by organizations to collect feedback, conduct research, and manage data via online surveys. The application is hosted on IIS/.NET infrastructure and provides form creation, response collection, reporting, and survey distribution tools. As a web application that collects and stores user-submitted data, Novi Survey servers may process sensitive responses (employee feedback, research data, customer information) and are accessible from the internet — making vulnerabilities in the platform's request handling a direct attack surface.

Overview

CVE-2023-29492 is an insecure deserialization vulnerability in Novi Survey that allows a remote unauthenticated attacker to execute arbitrary code on the server in the context of the service account running Novi Survey. Novi Survey patched it in April 2023; CISA added it to the Known Exploited Vulnerabilities catalog just two days later (April 13), indicating active exploitation was confirmed nearly immediately upon public disclosure. The 2-day KEV turnaround reflects CISA's assessment that the vulnerability was being exploited in the wild at or around the time of publication.

Affected Versions

Administrators should apply the update described in the Novi Survey April 2023 security advisory.

Technical Details

CWE-94 (Improper Control of Generation of Code — Code Injection). Novi Survey's .NET web application processes serialized data objects in HTTP requests. A flaw in how deserialization is handled allows an attacker to send a specially crafted HTTP request containing a malicious serialized .NET object. When the application deserializes the object, the .NET runtime executes attacker-controlled code — a well-established pattern in .NET deserialization attacks using gadget chains against the BinaryFormatter, JavaScriptSerializer, or similar deserializers.

Code execution occurs in the context of the Windows service account running Novi Survey (typically an IIS application pool identity or a dedicated service account). Depending on configuration, this may provide access to:

• All survey data and responses stored in the database
• The server's filesystem and network shares accessible to the service account
• Credentials or connection strings in application configuration files

The attack requires no authentication — the vulnerable deserialization endpoint is reachable without logging in.

Discovery

Identified by security researchers and reported to Novi Survey. Novi Survey published a security advisory and patch in April 2023. The rapid CISA KEV addition (2 days) suggests the vulnerability was under active exploitation at the time of disclosure, potentially having been exploited as a zero-day before the patch.

Exploitation Context

The 2-day gap between CVE publication (April 11) and CISA KEV addition (April 13) is one of the shortest turnarounds in the KEV catalog, indicating CISA had evidence of in-the-wild exploitation essentially immediately. While Novi Survey is a relatively niche platform compared to major enterprise software, deserialization vulnerabilities are highly reliable — once a gadget chain is identified for the target .NET runtime version, exploitation is straightforward and consistent.

Organizations using Novi Survey for collecting sensitive data (HR surveys, compliance questionnaires, research data) should treat any compromise as a potential data breach affecting all stored survey responses.

Remediation

1. Apply the Novi Survey security update from the April 2023 advisory immediately.
2. Review Novi Survey server logs for unusual POST requests or responses indicating deserialization attack attempts — particularly requests around and before April 13, 2023.
3. Audit the server for signs of post-exploitation: web shells, new user accounts, unauthorized scheduled tasks, or unexpected outbound network connections.
4. Assess whether sensitive survey data was exposed — review what data was collected and stored in the Novi Survey database during the potential exploitation window.
5. Rotate any credentials (database connection strings, API keys) stored in Novi Survey's configuration files.
6. Restrict Novi Survey's IIS application pool to minimum necessary permissions — service accounts should not have administrative rights or broad filesystem access.