CVE-2024-36528 is a deserialization vulnerability identified in nukeviet version 4.5 and earlier, as well as nukeviet-egov version 1.2.02 and earlier. The vulnerability resides in the handling of serialized data within the /admin/extensions/download.php and /admin/extensions/upload.php scripts. Deserialization vulnerabilities occur when untrusted data is deserialized without proper validation, enabling attackers to craft malicious payloads that execute arbitrary code on the server. In this case, an attacker with low-level privileges (PR:L) can remotely exploit the vulnerability over the network (AV:N) without requiring user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H), allowing full system compromise. The CVSS 3.1 score of 8.8 reflects the high severity of this flaw. Although no public exploits have been reported yet, the presence of this vulnerability in administrative extension management endpoints makes it a critical risk, as these endpoints often have elevated privileges and access to sensitive system functions. The root cause is unsafe deserialization (CWE-502), a common and dangerous flaw in web applications that handle serialized objects insecurely. Organizations running affected versions should urgently assess their exposure and apply patches or mitigations once available.

The exploitation of CVE-2024-36528 can lead to complete compromise of the affected web server, including unauthorized access to sensitive data, modification or deletion of critical files, and disruption of service. Since the vulnerability allows remote code execution with low privileges and no user interaction, attackers can escalate privileges, deploy malware, or pivot within the network. This can result in data breaches, service outages, and potential lateral movement to other internal systems. Organizations relying on nukeviet or nukeviet-egov for government, enterprise, or public-facing websites face reputational damage and regulatory consequences if exploited. The vulnerability's presence in administrative extension upload and download functionality increases the risk of supply chain or plugin-based attacks. Given the high CVSS score and the critical nature of the flaw, the impact is severe for organizations that have not yet mitigated the vulnerability.

1. Immediately restrict access to /admin/extensions/download.php and /admin/extensions/upload.php endpoints using network-level controls such as IP whitelisting or VPN-only access. 2. Apply official patches or updates from the nukeviet development team as soon as they are released. 3. If patches are not yet available, disable or remove the vulnerable extension management features temporarily to prevent exploitation. 4. Implement strict input validation and sanitization on any serialized data processed by these endpoints to prevent malicious payloads. 5. Conduct thorough code reviews and security testing focusing on deserialization processes within the application. 6. Monitor web server logs and intrusion detection systems for unusual activity targeting these endpoints. 7. Employ web application firewalls (WAF) with custom rules to detect and block suspicious serialized payloads. 8. Educate administrators about the risk and ensure they use strong, unique credentials to reduce the risk of privilege escalation. 9. Regularly back up critical data and verify the integrity of backups to enable recovery in case of compromise.