CVE-2023-53941

CriticalPublic PoCRCE

Published: 18 December 2025

Published

18 December 2025

Modified

26 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.6890 98.6th percentile

Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53941 is a critical-severity OS Command Injection (CWE-78) vulnerability in Easyphp Webserver. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents OS command injection by requiring validation and sanitization of the app_service_control parameter in incoming POST requests.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely remediation of the specific flaw in EasyPHP Webserver 14.1, eliminating the command injection vulnerability.

SC-7 Boundary Protection partial match

preventdetect

SC-7 enables boundary protection devices like WAFs to monitor and block malicious payloads targeting the vulnerable /index.php?zone=settings endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.003 Windows Command Shell Execution

Adversaries may abuse the Windows command shell for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated OS command injection in a public-facing web server parameter directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.003 (Windows Command Shell) for remote command execution with admin privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

EasyPHP Webserver 14.1 contains an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads through the app_service_control parameter. Attackers can send POST requests to /index.php?zone=settings with crafted app_service_control values to execute commands…

with administrative privileges.

Deeper analysisAI

CVE-2023-53941 is an OS command injection vulnerability (CWE-78) affecting EasyPHP Webserver 14.1. The flaw resides in the app_service_control parameter, which fails to properly sanitize user input, enabling attackers to inject and execute arbitrary system commands.

Unauthenticated remote attackers can exploit this vulnerability by sending POST requests to /index.php?zone=settings with specially crafted app_service_control payloads. Successful exploitation grants execution of commands with administrative privileges, potentially leading to full system compromise. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to low complexity and high impact on confidentiality, integrity, and availability.

VulnCheck has published an advisory on the remote code execution vulnerability in EasyPHP Webserver, while Exploit-DB hosts a proof-of-concept exploit (ID 51430). The vendor's site at easyphp.org provides additional context on the affected software. No specific patches or mitigations are detailed in the available references.