Cyber Resilience

CVE-2023-53966

CriticalPublic PoC

Published: 22 December 2025

Published
22 December 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 44.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53966 is a critical-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Sound4 Linkandshare Transmitter. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2023-53966 is a format string vulnerability (CWE-134) affecting SOUND4 LinkAndShare Transmitter version 1.1.2. The flaw enables attackers to trigger memory stack overflows by supplying maliciously crafted environment variables, particularly through manipulation of the username environment variable with format string payloads. This vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By crafting environment variables with format string payloads, they can potentially achieve arbitrary code execution or cause the application to crash, leading to denial of service.

Advisories from Vulncheck and Zero Science Laboratory (ZSL-2023-5744) detail the vulnerability, and a proof-of-concept exploit is available on Exploit-DB (EDB-ID: 51259). No patches or specific mitigation steps are described in the provided information.

EU & UK References

Vulnerability details

SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash…

more

the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote, unauthenticated attackers to exploit a public-facing network application via crafted environment variables, enabling arbitrary code execution or denial of service, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-53960Same vendor: Sound4
CVE-2023-53964Same vendor: Sound4
CVE-2023-53955Same vendor: Sound4
CVE-2022-50796Same vendor: Sound4
CVE-2025-57431Same vendor: Sound4
CVE-2023-53963Same vendor: Sound4
CVE-2024-45324Shared CWE-134
CVE-2022-50794Same vendor: Sound4
CVE-2022-50696Same vendor: Sound4
CVE-2022-50791Same vendor: Sound4

Affected Assets

sound4
linkandshare transmitter
1.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates identification, reporting, and correction of flaws like this format string vulnerability to eliminate the root cause.

prevent

SI-16 provides memory protections such as stack canaries, ASLR, and DEP to prevent arbitrary code execution from stack overflows triggered by format strings.

prevent

SI-10 requires validation of information inputs like environment variables to reject malicious format string payloads before processing.

References