Cyber Posture

CVE-2023-53955

CriticalPublic PoC

Published: 22 December 2025

Published
22 December 2025
Modified
13 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 71.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without proper authentication.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing IDOR exploits that bypass authorization via manipulated object references.

AC-25 Reference Monitor good match
prevent

AC-25 implements a reference monitor to mediate all subject-object accesses according to policy, countering insecure direct object references that evade authorization checks.

SI-10 Information Input Validation good match
prevent

SI-10 validates user-supplied inputs, blocking manipulation of object references required to exploit the IDOR vulnerability.

Security SummaryAI

CVE-2023-53955 is an insecure direct object reference vulnerability (CWE-639) present in SOUND4 IMPACT, FIRST, PULSE, and Eco products running version 2.x. This flaw enables attackers to bypass authorization controls and access hidden system resources by manipulating user-supplied input, allowing the execution of privileged functionalities without proper authentication. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and high potential impact on confidentiality, integrity, and availability.

Remote attackers require no privileges, authentication, or user interaction to exploit the vulnerability. By altering user-supplied input, they can directly reference and access unauthorized objects, executing privileged operations that compromise the targeted system.

Advisories from VulnCheck and Zero Science Laboratory (ZSL-2022-5723) detail the authorization bypass via insecure object references in the affected SOUND4 products. An exploit is publicly available on Exploit-DB (ID 51169). No specific patch or mitigation details are provided in the referenced advisories, and the vendor's site is archived via web.archive.org.

The public availability of an exploit on Exploit-DB suggests potential for real-world exploitation, though no confirmed incidents are noted in the provided information.

Details

CWE(s)
CWE-639

Affected Products

sound4
impact firmware
1.69, 2.15
sound4
pulse firmware
1.69, 2.15
sound4
first firmware
1.69, 2.15
sound4
impact eco firmware
1.16
sound4
pulse eco firmware
1.16
sound4
big voice4 firmware
1.2
sound4
big voice2 firmware
1.30
sound4
wm2 firmware
1.11
sound4
stream extension
2.4.29

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2023-53955 is an IDOR vulnerability in public-facing web interfaces of SOUND4 products, enabling remote unauthenticated attackers to bypass authorization and execute privileged operations, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References