Cyber Resilience

CVE-2023-53933

HighPublic PoC

Published: 17 December 2025

Published
17 December 2025
Modified
24 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0087 54.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53933 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in S9Y Serendipity. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-53933 is a remote code execution vulnerability in Serendipity 2.4.0, a PHP-based blogging platform. The flaw allows authenticated attackers to upload malicious PHP files with a .phar extension via the media upload endpoint. These files can contain system command payloads, enabling arbitrary command execution on the affected server. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

An attacker with low-privilege authenticated access, such as a registered user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting and uploading a .phar file containing malicious payloads to the media endpoint, the attacker achieves full remote code execution on the server, potentially leading to high confidentiality, integrity, and availability impacts, including server compromise, data theft, or further lateral movement.

Advisories and related resources, including the Serendipity documentation at https://docs.s9y.org/, a VulnCheck advisory at https://www.vulncheck.com/advisories/serendipity-authenticated-remote-code-execution-via-file-upload, and a public proof-of-concept exploit at https://www.exploit-db.com/exploits/51372, provide further details on the issue. Security practitioners should consult these for recommended mitigations, such as restricting upload permissions or applying any available patches.

EU & UK References

Vulnerability details

Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability is an unrestricted file upload in a public-facing web application (Serendipity blogging platform), enabling exploitation of public-facing applications (T1190) and deployment of web shells via malicious PHP .phar files for remote code execution (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39971Same product: S9Y Serendipity
CVE-2025-23953Shared CWE-434
CVE-2026-0911Shared CWE-434
CVE-2026-35047Shared CWE-434
CVE-2020-36849Shared CWE-434
CVE-2024-13723Shared CWE-434
CVE-2023-53922Shared CWE-434
CVE-2026-40412Shared CWE-434
CVE-2024-53345Shared CWE-434
CVE-2026-28270Shared CWE-434

Affected Assets

s9y
serendipity
2.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw in Serendipity's media upload endpoint that permits unrestricted .phar file uploads leading to remote code execution.

prevent

Requires validation of uploaded files to reject dangerous types like .phar containing PHP payloads, preventing exploitation of the unrestricted upload vulnerability.

preventdetect

Scans uploaded files for malicious code, providing defense-in-depth against RCE payloads in .phar files even if validation is bypassed.

References