CVE-2023-53963

CVE-2023-53963 is an unauthenticated OS command injection vulnerability (CWE-78) in SOUND4 IMPACT, FIRST, PULSE, and Eco products version 2.x. The issue affects the login.php and index.php scripts, where the 'password' POST parameter fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary shell commands with web server privileges. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high impact on confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this vulnerability by sending crafted POST requests to the affected endpoints with shell metacharacters in the 'password' parameter. No user interaction or privileges are required, enabling exploitation over the network with minimal effort. Successful attacks allow arbitrary command execution on the underlying operating system, which could lead to full server compromise, data exfiltration, persistence, or further lateral movement depending on the web server's context and privileges.

Advisories from Vulncheck and ZeroScience (ZSL-2022-5738) describe the vulnerability and exploitation details, while a proof-of-concept exploit is publicly available on Exploit-DB (exploit 51173). The archived SOUND4 website provides product context, but no specific patches or vendor mitigations are detailed in the references.

A public exploit on Exploit-DB highlights the risk of real-world abuse against internet-exposed instances of these audio processing devices.