CVE-2023-53980

CriticalPublic PoC

Published: 22 December 2025

Published

22 December 2025

Modified

26 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0052 66.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents exploitation of the file extension manipulation vulnerability by enforcing validation of uploaded file names, extensions, and contents at the upload.process.php endpoint.

SI-2 Flaw Remediation good match

prevent

SI-2 comprehensively mitigates this CVE by requiring timely remediation and patching of the specific flaw in ProjectSend r1605 that enables RCE via malicious file uploads.

SI-3 Malicious Code Protection good match

preventdetect

SI-3 blocks execution of uploaded shell scripts with disguised extensions through real-time and periodic malicious code scanning on the server.

Security SummaryAI

CVE-2023-53980 is a remote code execution vulnerability in ProjectSend r1605. It enables attackers to upload malicious files, such as shell scripts with disguised extensions, through the upload.process.php endpoint by manipulating file extensions. This flaw allows execution of arbitrary commands on the server and carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-434.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. Successful exploitation provides high-impact access to execute arbitrary commands, compromising confidentiality, integrity, and availability on the affected server.

Advisories, including those from VulnCheck, describe the remote code execution stemming from file extension manipulation in ProjectSend. A public proof-of-concept exploit is available on Exploit-DB (ID 51238), and the ProjectSend website offers additional details on the software.

Details

CWE(s): CWE-434

Affected Products

projectsend

r1605

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unauthenticated RCE via file upload with extension manipulation in public-facing web app ProjectSend enables exploitation of public-facing application (T1190) and deployment/execution of web shells/shell scripts for arbitrary command execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/51238
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.projectsend.org/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/projectsend-remote-code-execution-via-file-extension-manipulation
Third Party Advisory, Exploit · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51238
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0