CVE-2023-53933

HighPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

24 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0076 73.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the flaw in Serendipity's media upload endpoint that permits unrestricted .phar file uploads leading to remote code execution.

SI-10 Information Input Validation good match

prevent

Requires validation of uploaded files to reject dangerous types like .phar containing PHP payloads, preventing exploitation of the unrestricted upload vulnerability.

SI-3 Malicious Code Protection partial match

preventdetect

Scans uploaded files for malicious code, providing defense-in-depth against RCE payloads in .phar files even if validation is bypassed.

Security SummaryAI

CVE-2023-53933 is a remote code execution vulnerability in Serendipity 2.4.0, a PHP-based blogging platform. The flaw allows authenticated attackers to upload malicious PHP files with a .phar extension via the media upload endpoint. These files can contain system command payloads, enabling arbitrary command execution on the affected server. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

An attacker with low-privilege authenticated access, such as a registered user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting and uploading a .phar file containing malicious payloads to the media endpoint, the attacker achieves full remote code execution on the server, potentially leading to high confidentiality, integrity, and availability impacts, including server compromise, data theft, or further lateral movement.

Advisories and related resources, including the Serendipity documentation at https://docs.s9y.org/, a VulnCheck advisory at https://www.vulncheck.com/advisories/serendipity-authenticated-remote-code-execution-via-file-upload, and a public proof-of-concept exploit at https://www.exploit-db.com/exploits/51372, provide further details on the issue. Security practitioners should consult these for recommended mitigations, such as restricting upload permissions or applying any available patches.

Details

CWE(s): CWE-434

Affected Products

s9y

serendipity

2.4.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability is an unrestricted file upload in a public-facing web application (Serendipity blogging platform), enabling exploitation of public-facing applications (T1190) and deployment of web shells via malicious PHP .phar files for remote code execution (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://docs.s9y.org/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51372
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/serendipity-authenticated-remote-code-execution-via-file-upload
Third Party Advisory, Exploit · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51372
Exploit, Third Party Advisory, VDB Entry · 134c704f-9b21-4f2e-91b3-4a467353bcc0