CVE-2023-54337
Published: 13 January 2026
Summary
CVE-2023-54337 is a critical-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Sysax Multi Server. Its CVSS base score is 9.1 (Critical).
Operationally, ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces validation of specified quantities in inputs like the administrative password field to prevent crashes from oversized repeated characters.
Protects against or limits denial-of-service effects from application crashes triggered by malformed inputs in the password field.
Facilitates timely remediation of the specific flaw in Sysax Multi Server via patching to eliminate the vulnerability exploitation path.
NVD Description
Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an application crash and…
more
disrupt server functionality.
Deeper analysisAI
CVE-2023-54337 is a denial-of-service vulnerability affecting Sysax Multi Server version 6.95, specifically in the administrative password field. The flaw allows attackers to crash the application by overwriting the password field with 800 bytes of repeated characters, leading to disruption of server functionality. It has been assigned a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-1284 (Improper Validation of Specified Quantity in Input).
The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation triggers an application crash, resulting in high impacts to integrity and availability while sparing confidentiality. This disrupts server operations, potentially denying service to legitimate users.
Advisories from Vulncheck and a proof-of-concept on Exploit-DB detail the issue and demonstrate the attack using repeated characters in the password field. The vendor site at sysax.com is referenced, though no specific patches or mitigations are detailed in available information. Security practitioners should monitor for updates and consider restricting access to administrative interfaces.
Details
- CWE(s)