CVE-2023-53776
Published: 10 December 2025
Summary
CVE-2023-53776 is a high-severity Session Fixation (CWE-384) vulnerability in Dbbroadcast Sft Dab 600\/C Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms to protect communications session authenticity, directly addressing weak session management that enables IP-bound session identifier reuse for authentication bypass.
IA-5 mandates management of authenticators including session identifiers through protection from disclosure, refresh, and secure handling to prevent unauthorized reuse.
AC-12 enforces automatic session termination after defined conditions, invalidating session identifiers and blocking their reuse by attackers on adjacent networks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a network-accessible device management API exploitable from adjacent networks without authentication, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to exploit weak session management by reusing IP-bound session identifiers. Attackers can issue unauthorized requests to the device management API by leveraging the session binding mechanism to perform…
more
critical operations on the transmitter.
Deeper analysisAI
CVE-2023-53776 is an authentication bypass vulnerability in Screen SFT DAB version 1.9.3, caused by weak session management that permits attackers to reuse IP-bound session identifiers. This flaw affects the software component used for managing Digital Audio Broadcasting (DAB) transmitters, enabling exploitation of the session binding mechanism to issue unauthorized requests to the device management API and perform critical operations on the transmitter. The vulnerability is classified under CWE-384 (Session Fixation) with a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Attackers on an adjacent network (AV:A) can exploit this without prior authentication (PR:N) or user interaction (UI:N) by capturing a legitimate session identifier bound to a specific IP address and reusing it for malicious requests. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, granting unauthorized control over transmitter operations via the device management API.
Advisories, including those from VulnCheck and references on vendor sites like DB Broadcast and Screen, provide details on the authentication bypass via session management weakness. A proof-of-concept exploit is publicly available on Exploit-DB (ID 51459), highlighting the need to review these resources for detection and mitigation guidance.
Details
- CWE(s)