CVE-2024-36528
📋 TL;DR
This vulnerability allows remote code execution through insecure deserialization in NukeViet and NukeViet-eGov admin interfaces. Attackers can exploit the /admin/extensions/download.php and /admin/extensions/upload.php endpoints to execute arbitrary code on affected systems. Organizations using NukeViet v4.5 and earlier or NukeViet-eGov v1.2.02 and earlier are affected.
💻 Affected Systems
- NukeViet
- NukeViet-eGov
📦 What is this software?
Egovernment by Nukeviet
Nukeviet by Nukeviet
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.
Likely Case
Unauthorized administrative access leading to website defacement, data theft, or backdoor installation.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Exploitation requires access to admin endpoints but is straightforward once authenticated or if authentication is bypassed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NukeViet v4.5.01+, NukeViet-eGov v1.2.03+
Vendor Advisory: https://github.com/nukeviet/nukeviet/releases
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download the latest version from the official repository. 3. Replace affected files with patched versions. 4. Verify functionality.
🔧 Temporary Workarounds
Restrict Admin Access
allBlock access to vulnerable admin endpoints using web server configuration or firewall rules.
# Apache: RewriteRule ^/admin/extensions/(download|upload)\.php$ - [F]
# Nginx: location ~ ^/admin/extensions/(download|upload)\.php$ { deny all; }
Remove Vulnerable Files
linuxDelete or rename the vulnerable PHP files to prevent exploitation.
rm /path/to/admin/extensions/download.php
rm /path/to/admin/extensions/upload.php
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the admin interface.
- Deploy a web application firewall (WAF) with rules to block deserialization attacks.
🔍 How to Verify
Check if Vulnerable:
Check if /admin/extensions/download.php and /admin/extensions/upload.php exist and review version numbers in configuration files.Check Version:
grep -r 'define.*NV_VERSION' /path/to/nukeviet/ or check config.php filesVerify Fix Applied:
Verify that vulnerable files have been removed or replaced with patched versions, and test that deserialization attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /admin/extensions/download.php or /admin/extensions/upload.php
- PHP deserialization errors in web server logs
Network Indicators:
- HTTP requests containing serialized PHP objects to admin endpoints
SIEM Query:
source="web_logs" AND (url="/admin/extensions/download.php" OR url="/admin/extensions/upload.php") AND (method="POST" OR status>=400)