CVE-2024-36528

Vulnerability

Overview A deserialization vulnerability exists in NukeViet CMS versions 4.5 and earlier and NukeViet-eGov versions 1.2.02 and earlier [1]. The flaw is present in the admin panel's extension management functionality, specifically in the /admin/extensions/download.php and /admin/extensions/upload.php scripts. Insecure deserialization of untrusted data enables an attacker to execute arbitrary code on the server.

Exploitation

Prerequisites An attacker must have administrative access to the NukeViet site to reach the vulnerable pages. With valid admin credentials, they can craft a malicious serialized object and send it via the upload or download functionality. No other authentication bypass is required, but the attack is limited to authenticated administrators.

Impact

Successful exploitation results in remote code execution (RCE) under the web server user context. This can lead to full compromise of the affected website, including data theft, defacement, or pivoting to internal network resources. The vulnerability is rated with a high severity based on the potential for complete system takeover.

Mitigation

NukeViet has released patches for both CMS and eGov versions. Users are strongly advised to upgrade to NukeViet CMS above 4.5 and NukeViet-eGov above 1.2.02 [1][2]. No workarounds are documented; updating is the only reliable mitigation. The CVE is actively tracked but not yet listed in CISA's Known Exploited Vulnerabilities catalog.