CVE-2023-53980
Published: 22 December 2025
Summary
CVE-2023-53980 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Projectsend Projectsend. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-53980 is a remote code execution vulnerability in ProjectSend r1605. It enables attackers to upload malicious files, such as shell scripts with disguised extensions, through the upload.process.php endpoint by manipulating file extensions. This flaw allows execution of arbitrary commands on the server and carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-434.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. Successful exploitation provides high-impact access to execute arbitrary commands, compromising confidentiality, integrity, and availability on the affected server.
Advisories, including those from VulnCheck, describe the remote code execution stemming from file extension manipulation in ProjectSend. A public proof-of-concept exploit is available on Exploit-DB (ID 51238), and the ProjectSend website offers additional details on the software.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-60242
Vulnerability details
ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE via file upload with extension manipulation in public-facing web app ProjectSend enables exploitation of public-facing application (T1190) and deployment/execution of web shells/shell scripts for arbitrary command execution (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents exploitation of the file extension manipulation vulnerability by enforcing validation of uploaded file names, extensions, and contents at the upload.process.php endpoint.
SI-2 comprehensively mitigates this CVE by requiring timely remediation and patching of the specific flaw in ProjectSend r1605 that enables RCE via malicious file uploads.
SI-3 blocks execution of uploaded shell scripts with disguised extensions through real-time and periodic malicious code scanning on the server.