Cyber Resilience

CVE-2023-53980

HighPublic PoC

Published: 22 December 2025

Published
22 December 2025
Modified
26 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0081 52.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-53980 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Projectsend Projectsend. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-53980 is a remote code execution vulnerability in ProjectSend r1605. It enables attackers to upload malicious files, such as shell scripts with disguised extensions, through the upload.process.php endpoint by manipulating file extensions. This flaw allows execution of arbitrary commands on the server and carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-434.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. Successful exploitation provides high-impact access to execute arbitrary commands, compromising confidentiality, integrity, and availability on the affected server.

Advisories, including those from VulnCheck, describe the remote code execution stemming from file extension manipulation in ProjectSend. A public proof-of-concept exploit is available on Exploit-DB (ID 51238), and the ProjectSend website offers additional details on the software.

EU & UK References

Vulnerability details

ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unauthenticated RCE via file upload with extension manipulation in public-facing web app ProjectSend enables exploitation of public-facing application (T1190) and deployment/execution of web shells/shell scripts for arbitrary command execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23953Shared CWE-434
CVE-2026-0911Shared CWE-434
CVE-2026-35047Shared CWE-434
CVE-2020-36849Shared CWE-434
CVE-2024-13723Shared CWE-434
CVE-2023-53922Shared CWE-434
CVE-2026-40412Shared CWE-434
CVE-2024-53345Shared CWE-434
CVE-2026-28270Shared CWE-434
CVE-2025-62050Shared CWE-434

Affected Assets

projectsend
projectsend
r1605

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents exploitation of the file extension manipulation vulnerability by enforcing validation of uploaded file names, extensions, and contents at the upload.process.php endpoint.

prevent

SI-2 comprehensively mitigates this CVE by requiring timely remediation and patching of the specific flaw in ProjectSend r1605 that enables RCE via malicious file uploads.

preventdetect

SI-3 blocks execution of uploaded shell scripts with disguised extensions through real-time and periodic malicious code scanning on the server.

References