CVE-2023-53924

HighPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0031 54.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53924 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ulicms Ulicms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces validation of uploaded avatar files to reject PHP/.phar extensions and malicious content, preventing disguised code execution.

SI-9 Information Input Restrictions good match

prevent

Restricts profile avatar uploads to only safe image file types and characteristics, blocking .phar and PHP files at input.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code scanning at upload entry points to identify and block executable PHP content in avatar files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote code execution in public-facing web app via authenticated file upload bypass (T1190), directly facilitating web shell deployment by uploading executable PHP/.phar files triggered via URL access (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously…

crafted avatar uploads.

Deeper analysisAI

CVE-2023-53924 is a remote code execution vulnerability in UliCMS version 2023.1-sniffing-vicuna. The flaw arises during profile avatar uploads, where authenticated attackers can upload PHP files disguised with a .phar extension. By crafting malicious avatars, attackers bypass restrictions, and code execution is triggered simply by visiting the uploaded file's location on the server.

The vulnerability requires low-privileged authentication (PR:L) and can be exploited remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), earning a CVSS v3.1 base score of 8.8 (High) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful exploitation enables attackers to execute arbitrary system commands, potentially leading to full server compromise.

Advisories and references, including those from VulnCheck and Exploit-DB (exploit 51434), detail the issue and provide proof-of-concept exploits. An archived UliCMS site is also referenced, though specific patch details or mitigation steps are outlined in these resources, which security practitioners should review for updates and remediation guidance.