What is CVE-2023-29492?

A critical vulnerability has been identified in 3rdmill's Novi Survey, allowing remote attackers to execute arbitrary code. Organizations must patch immediately to mitigate risks related to this vulnerability.

What is the severity of CVE-2023-29492?

CVE-2023-29492 has a severity rating of CRITICAL with a CVSS base score of 9.8.

Is CVE-2023-29492 in CISA KEV?

Yes. CVE-2023-29492 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2023-29492 | Critical Vulnerability in 3rdmill Novi Survey

Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data. The vulnerability has been classified as critical, with a CVSS score of 9.8, indicating that it poses a significant risk to organizations.

The attack vector for this vulnerability is network-based, requiring no privileges or user interaction, which significantly increases the potential for exploitation. Organizations should prioritize patching immediately to address this vulnerability and protect their systems.

Risk to organizations includes potential unauthorized execution of code, leading to system compromise. Given the high CVSS score and the nature of the vulnerability, timely remediation is essential.

As of now, there are no reported public exploits or proofs of concept available. However, the presence of this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog indicates that it is of significant concern and should not be ignored.

Organizations must remain vigilant and ensure that they apply the necessary updates as per vendor instructions to mitigate potential risks from this vulnerability.

Vulnerability Details

Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This vulnerability is classified as a CWE-94 (Code Injection) issue, which has been assigned a CVSS score of 9.8, indicating its critical nature. The affected product is the Novi Survey, developed by 3rdmill.

The vulnerability was published on April 11, 2023, and emphasizes the importance of timely updates to prevent exploitation. The lack of required privileges or user interaction makes this vulnerability particularly dangerous.

Technical Analysis

The root cause of this vulnerability stems from improper handling of input data, allowing attackers to execute arbitrary code remotely. The attack vector is network-based, meaning that an attacker can exploit the vulnerability without needing physical access to the system. The attack complexity is low, and no privileges or user interaction are required to exploit this vulnerability.

The potential impacts on confidentiality, integrity, and availability are high, as successful exploitation may lead to unauthorized access and control over affected systems. Organizations using Novi Survey should be aware of the significant risks associated with this vulnerability.

Risk & Impact Analysis

The risk to organizations includes unauthorized execution of code, which can lead to a complete takeover of affected systems. The critical CVSS score indicates a high urgency for patching. The vulnerability is included in the KEV catalog, which suggests that it is being actively monitored and could be exploited by malicious actors. Therefore, organizations must act swiftly to mitigate these risks.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

The affected versions of Novi Survey include all versions prior to 8.9.43676. Organizations using these versions should take immediate action to upgrade to the latest version.

Mitigation & Remediation

Organizations should apply updates per vendor instructions to mitigate this vulnerability. For further guidance, consider engaging in penetration testing to identify any remaining vulnerabilities and ensure the security of your systems.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unusual activity, analyze behavioral anomalies, and look for network signatures indicative of attacks targeting the Novi Survey.

AppSecure Threat Intelligence Insight

This vulnerability highlights the ongoing risk associated with insecure deserialization in widely used applications. Security teams should be aware of this trend and ensure their applications are resilient against similar vulnerabilities. For a comprehensive understanding of application security, organizations can refer to the penetration testing methodology and consider implementing a vulnerability management program to better identify and address security weaknesses.

Understanding the landscape of vulnerabilities, including the current trends in exploitation, can help organizations develop more effective security strategies. Therefore, it is crucial to stay informed about emerging threats and best practices for application security.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2023-29492: Critical Vulnerability in 3rdmill Novi Survey