Cyber Resilience

CVE-2023-53913

MediumPublic PoC

Published: 17 December 2025

Published
17 December 2025
Modified
24 December 2025
KEV Added
Patch
CVSS Score v4 6.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 44.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53913 is a medium-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Rukovoditel Rukovoditel. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-53913 is a CSV injection vulnerability in Rukovoditel version 3.3.1. The flaw resides in the firstname field, where authenticated users can inject malicious formulas, such as =calc|a!z|, without proper sanitization. It is classified under CWE-1236 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its network reach, low complexity, and potential for significant impact.

An authenticated user with low privileges can exploit this by injecting a crafted payload into their firstname field during account creation or modification. The attack activates when an administrator exports customer data to a CSV file; upon opening the file in a spreadsheet application like Excel or LibreOffice, the injected formula executes arbitrary code on the administrator's local machine, potentially leading to full compromise.

Advisories and proof-of-concept exploits are documented in references including Exploit-DB (https://www.exploit-db.com/exploits/51490), a Vulncheck advisory on the issue (https://www.vulncheck.com/advisories/rukovoditel-csv-injection-via-user-account-export), and the vendor site (https://www.rukovoditel.net/). These resources detail the vulnerability but do not specify patch availability or mitigation steps in the provided information.

EU & UK References

Vulnerability details

Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The CSV injection vulnerability in the web application (public-facing, AV:N/PR:L) enables low-privileged authenticated users to exploit it for privilege escalation (T1068, T1190) by injecting malicious formulas into exported CSV files, facilitating arbitrary code execution via user opening of the malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-51302Shared CWE-1236
CVE-2023-46400Shared CWE-1236
CVE-2024-45084Shared CWE-1236
CVE-2025-55745Shared CWE-1236
CVE-2026-35157Shared CWE-1236
CVE-2023-46401Shared CWE-1236
CVE-2020-36962Shared CWE-1236
CVE-2026-31049Shared CWE-1236
CVE-2024-55532Shared CWE-1236
CVE-2025-56267Shared CWE-1236

Affected Assets

rukovoditel
rukovoditel
3.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Filters firstname field content during CSV export to neutralize formula injection payloads like =calc|a!z| before transmission to spreadsheet applications.

prevent

Validates and sanitizes inputs to the firstname field to prevent storage of malicious formula elements by authenticated users.

prevent

Remediates the specific flaw in Rukovoditel 3.3.1 by patching the lack of sanitization in user input handling for CSV exports.

References