CVE-2023-53960

CriticalPublic PoC

Published: 22 December 2025

Published

22 December 2025

Modified

16 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 48.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53960 is a critical-severity SQL Injection (CWE-89) vulnerability in Sound4 First Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection attacks by requiring validation of untrusted inputs like the password POST parameter in the authentication mechanism.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the identified SQL injection flaw in index.php to eliminate the vulnerability.

SC-7 Boundary Protection partial match

prevent

Enables boundary protections such as web application firewalls to filter and block malicious SQL payloads targeting the login interface.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web login (index.php) enables remote authentication bypass, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x contains an SQL injection vulnerability in the 'index.php' authentication mechanism that allows attackers to manipulate login credentials. Attackers can inject malicious SQL code through the 'password' POST parameter to bypass authentication and potentially gain unauthorized access…

to the system.

Deeper analysisAI

CVE-2023-53960 is an SQL injection vulnerability (CWE-89) in the authentication mechanism of SOUND4 IMPACT, FIRST, PULSE, and Eco versions 2.x. The issue affects the 'index.php' file, where attackers can inject malicious SQL code via the 'password' POST parameter to manipulate login credentials. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

Remote attackers with no privileges or user interaction can exploit this vulnerability over the network with low complexity. By submitting crafted SQL payloads in the password field during login attempts, they can bypass authentication and gain unauthorized access to the system.

Advisories from VulnCheck and Zero Science Lab (ZSL-2022-5726) describe the SQL injection via authentication bypass, while a proof-of-concept exploit is publicly available on Exploit-DB (exploit 51171). No specific patch or mitigation details are provided in the referenced advisories.

Details

CWE(s): CWE-89

Affected Products

sound4

first firmware

1.69, 2.15

sound4

impact eco firmware

1.16

sound4

pulse eco firmware

1.16

sound4

big voice4 firmware

1.2

sound4

big voice2 firmware

1.30

sound4

wm2 firmware

1.11

sound4

impact firmware

1.69, 2.15

sound4

pulse firmware

1.69, 2.15

sound4

stream extension

2.4.29

CVEs Like This One

CVE-2023-53955Same product: Sound4 Big Voice2

CVE-2023-53964Same product: Sound4 Big Voice2

CVE-2022-50796Same product: Sound4 Big Voice2

CVE-2023-53963Same product: Sound4 Big Voice2

CVE-2022-50794Same product: Sound4 Big Voice2

CVE-2022-50696Same product: Sound4 Big Voice2

CVE-2022-50793Same product: Sound4 Big Voice2

CVE-2025-57431Same vendor: Sound4

CVE-2025-69213Shared CWE-89

CVE-2025-52577Shared CWE-89

References

https://web.archive.org/web/20221207074555/https://www.sound4.com/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51171
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-sql-injection-via-authentication-bypass
Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0