CVE-2023-53771

CriticalPublic PoC

Published: 09 December 2025

Published

09 December 2025

Modified

19 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0107 77.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters to reset root credentials.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Prohibits permitting sensitive actions like root password changes on the system setup endpoint without identification and authentication, directly addressing the authentication bypass.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to the system setup endpoint, preventing unauthorized crafted POST requests that bypass authentication.

SC-7 Boundary Protection partial match

prevent

Restricts external network communications to the vulnerable system setup endpoint, mitigating remote exploitation as recommended by advisories.

Security SummaryAI

CVE-2023-53771 is an authentication bypass vulnerability (CWE-306) affecting MiniDVBLinux 5.4. The flaw enables remote attackers to change the root password without authentication by sending crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters, effectively resetting root credentials.

Remote attackers can exploit this vulnerability over the network with no privileges, low attack complexity, and no user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants attackers full control over the system by altering root credentials, resulting in high impacts to confidentiality, integrity, and availability.

Advisories from VulnCheck and Zero Science, along with a public exploit on Exploit-DB, detail the issue, while the vendor site at minidvblinux.de provides additional context. These references outline exploitation methods and recommend mitigations such as restricting access to the system setup endpoint.

A proof-of-concept exploit is publicly available on Exploit-DB, indicating potential for real-world exploitation against exposed MiniDVBLinux 5.4 instances.

Details

CWE(s): CWE-306

Affected Products

minidvblinux

≤ 5.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a remotely accessible web system setup endpoint, allowing unauthenticated attackers to change the root password via crafted POST requests, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/51094
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.minidvblinux.de
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/minidvblinux-unauthenticated-root-password-change-via-system-setup
Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php
Exploit, Third Party Advisory · disclosure@vulncheck.com