CVE-2023-53924

HighPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0046 64.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously…

crafted avatar uploads.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces validation of uploaded avatar files to reject PHP/.phar extensions and malicious content, preventing disguised code execution.

SI-9 Information Input Restrictions good match

prevent

Restricts profile avatar uploads to only safe image file types and characteristics, blocking .phar and PHP files at input.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code scanning at upload entry points to identify and block executable PHP content in avatar files.

Security SummaryAI

CVE-2023-53924 is a remote code execution vulnerability in UliCMS version 2023.1-sniffing-vicuna. The flaw arises during profile avatar uploads, where authenticated attackers can upload PHP files disguised with a .phar extension. By crafting malicious avatars, attackers bypass restrictions, and code execution is triggered simply by visiting the uploaded file's location on the server.

The vulnerability requires low-privileged authentication (PR:L) and can be exploited remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), earning a CVSS v3.1 base score of 8.8 (High) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful exploitation enables attackers to execute arbitrary system commands, potentially leading to full server compromise.

Advisories and references, including those from VulnCheck and Exploit-DB (exploit 51434), detail the issue and provide proof-of-concept exploits. An archived UliCMS site is also referenced, though specific patch details or mitigation steps are outlined in these resources, which security practitioners should review for updates and remediation guidance.

Details

CWE(s): CWE-434

Affected Products

ulicms

2023.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote code execution in public-facing web app via authenticated file upload bypass (T1190), directly facilitating web shell deployment by uploading executable PHP/.phar files triggered via URL access (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://web.archive.org/web/20230314183734/https://en.ulicms.de/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51434
Exploit · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/ulicms-sniffing-vicuna-remote-code-execution-via-avatar-upload
Third Party Advisory · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51434
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0