CVE-2023-53888

HighPublic PoCRCE

Published: 15 December 2025

Published

15 December 2025

Modified

24 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0069 72.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53888 is a high-severity Code Injection (CWE-94) vulnerability in Zomp Zomplog. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates file inputs during saveE and rename actions to block injection of malicious JavaScript files renamed to PHP, directly preventing code execution.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict low-privilege authenticated users from accessing file manipulation endpoints that enable arbitrary PHP code execution.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific flaw in Zomplog's file upload and rename functions to eliminate the remote code execution vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote code execution in a public-facing web blogging application via authenticated file upload and rename to PHP for arbitrary code execution, directly enabling T1190 (Exploit Public-Facing Application) and facilitating web shell deployment and execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute system commands by exploiting the…

saveE and rename actions in the application.

Deeper analysisAI

CVE-2023-53888 is a remote code execution vulnerability affecting Zomplog 3.9, a blogging application. The flaw, classified under CWE-94 (Code Injection), enables authenticated attackers to inject and execute arbitrary PHP code via file manipulation endpoints. Specifically, attackers exploit the saveE and rename actions to upload malicious JavaScript files, rename them with .php extensions, and execute system commands.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS 3.1 score of 8.8. Successful exploitation allows full remote code execution on the server, potentially leading to complete system compromise.

Advisories, including one from Vulncheck, describe the issue as remote code execution via authenticated file manipulation. Proof-of-concept exploits are publicly available on Exploit-DB (ID 51624). An archived reference to the Zomplog project dates back to 2008, indicating it is legacy software with no mentioned patches in the provided references.