CVE-2023-53923

CriticalPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to generate a new admin user with full system…

access.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing authorization in UserController that permits unauthenticated admin account creation.

AC-2 Account Management good match

prevent

Manages system accounts including provisioning new accounts with proper authorization, preventing unauthenticated attackers from creating administrative accounts.

SC-14 Public Access Protections good match

prevent

Protects public access interfaces by requiring identification and authentication, mitigating exploitation of the publicly accessible /dist/admin/index.php endpoint.

Security SummaryAI

CVE-2023-53923 is a privilege escalation vulnerability in UliCMS version 2023.1, stemming from CWE-862 (Missing Authorization). The flaw resides in the UserController endpoint, where unauthenticated attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to create a new administrative account, granting full system access.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity, no required privileges, and no user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables attackers to generate admin users, achieving high impacts on confidentiality, integrity, and availability through complete administrative control.

Advisories such as the VulnCheck report and Exploit-DB entry (ID 51433) document the issue, including a public proof-of-concept exploit demonstrating the unauthenticated admin account creation. No patch or mitigation details are specified in the CVE description.

Details

CWE(s): CWE-862

Affected Products

ulicms

2023.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated exploitation of a public-facing web application (T1190) via crafted POST request lacking authorization, directly creating a new administrative account (T1136.001) and achieving privilege escalation to full system access (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://web.archive.org/web/20230314183734/https://en.ulicms.de/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51433
Exploit · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/ulicms-privilege-escalation-via-unauthenticated-admin-account-creation
Third Party Advisory · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51433
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0