CVE-2021-27852
Published: 27 May 2021
Summary
CVE-2021-27852 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Checkbox Survey. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-27852 is a deserialization of untrusted data vulnerability (CWE-502) located in CheckboxWeb.dll within Checkbox Survey. The flaw affects all versions prior to 7 and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack complexity that is both low and unauthenticated.
An unauthenticated remote attacker can supply a crafted serialized object to CheckboxWeb.dll, triggering arbitrary code execution on the server with no user interaction required. Successful exploitation grants the attacker full confidentiality, integrity, and availability impact on the affected survey application.
The vulnerability is tracked in the CISA Known Exploited Vulnerabilities catalog and referenced in CERT/CC advisory VU#706695, indicating that official sources treat it as actively exploited and recommend applying the vendor-supplied update to version 7 or later as the primary mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-14590
Vulnerability details
Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. This issue affects: Checkbox Survey versions prior to 7.
- CWE(s)
- KEV Date Added
- 11 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that eliminates the vulnerable deserialization routine in CheckboxWeb.dll.
Enforces validation of all input before deserialization, blocking crafted serialized objects from unauthenticated remote sources.
Deploys malicious-code detection mechanisms that can identify or block the arbitrary code executed via the deserialization flaw.