CVE-2023-53960

CriticalPublic PoC

Published: 22 December 2025

Published

22 December 2025

Modified

16 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 48.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x contains an SQL injection vulnerability in the 'index.php' authentication mechanism that allows attackers to manipulate login credentials. Attackers can inject malicious SQL code through the 'password' POST parameter to bypass authentication and potentially gain unauthorized access…

to the system.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection attacks by requiring validation of untrusted inputs like the password POST parameter in the authentication mechanism.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the identified SQL injection flaw in index.php to eliminate the vulnerability.

SC-7 Boundary Protection partial match

prevent

Enables boundary protections such as web application firewalls to filter and block malicious SQL payloads targeting the login interface.

Security SummaryAI

CVE-2023-53960 is an SQL injection vulnerability (CWE-89) in the authentication mechanism of SOUND4 IMPACT, FIRST, PULSE, and Eco versions 2.x. The issue affects the 'index.php' file, where attackers can inject malicious SQL code via the 'password' POST parameter to manipulate login credentials. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

Remote attackers with no privileges or user interaction can exploit this vulnerability over the network with low complexity. By submitting crafted SQL payloads in the password field during login attempts, they can bypass authentication and gain unauthorized access to the system.

Advisories from VulnCheck and Zero Science Lab (ZSL-2022-5726) describe the SQL injection via authentication bypass, while a proof-of-concept exploit is publicly available on Exploit-DB (exploit 51171). No specific patch or mitigation details are provided in the referenced advisories.

Details

CWE(s): CWE-89

Affected Products

sound4

first firmware

1.69, 2.15

sound4

impact eco firmware

1.16

sound4

pulse eco firmware

1.16

sound4

big voice4 firmware

1.2

sound4

big voice2 firmware

1.30

sound4

wm2 firmware

1.11

sound4

impact firmware

1.69, 2.15

sound4

pulse firmware

1.69, 2.15

sound4

stream extension

2.4.29

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web login (index.php) enables remote authentication bypass, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://web.archive.org/web/20221207074555/https://www.sound4.com/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51171
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-sql-injection-via-authentication-bypass
Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0