Cyber Resilience

CVE-2023-29492

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 11 April 2023

Published
11 April 2023
Modified
27 October 2025
KEV Added
13 April 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1833 95.4th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29492 is a critical-severity Code Injection (CWE-94) vulnerability in 3Rdmill Novi Survey. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

Novi Survey versions prior to 8.9.43676 contain a code injection vulnerability tracked as CVE-2023-29492 and assigned CWE-94. The flaw permits remote attackers to execute arbitrary code on the server in the context of the service account, though the issue does not expose stored survey or response data. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required authentication or user interaction.

Unauthenticated remote attackers can exploit the flaw over the network to run arbitrary commands on the affected server. Successful exploitation grants code execution privileges equivalent to the service account but does not extend to reading or modifying survey content or collected responses.

The vendor advisory published by Novi Survey recommends upgrading to version 8.9.43676 or later. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming that exploitation has been observed in the wild. The associated EPSS score has remained near 0.18 without a pronounced increase after disclosure.

EU & UK References

Vulnerability details

Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data.

CWE(s)
KEV Date Added
13 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

3rdmill
novi survey
≤ 8.9.43676

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor-supplied update (8.9.43676+) that eliminates the unauthenticated RCE flaw.

detect

Mandates continuous vulnerability scanning to discover exposed Novi Survey instances still running versions prior to 8.9.43676.

prevent

Boundary-protection rules can restrict or deny inbound network access to the survey application, reducing the attack surface for remote exploitation.

References