CVE-2023-53963

CRITICAL

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Command Injection

Title source: llm

Description

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands through the 'password' parameter. Attackers can exploit the login.php and index.php scripts by injecting shell commands via the 'password' POST parameter to execute commands with web server privileges.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textlocalwindows

https://www.exploit-db.com/exploits/51173

View Code ZIP pw:eip

References (4)

[Product] https://web.archive.org/web/20221207074555/https://www.sound4.com/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/51173

[Third Party Advisory] https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-unauthenticated-remote-command-injection

[Exploit, Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php

Scores

CVSS v3 9.8

EPSS 0.0290

EPSS Percentile 86.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (12)

sound4/big_voice2_firmware 1.30

sound4/big_voice4_firmware 1.2

sound4/first_firmware 2.15

sound4/first_firmware 1.69

sound4/impact_eco_firmware 1.16

sound4/impact_firmware 2.15

sound4/impact_firmware 1.69

sound4/pulse_eco_firmware 1.16

sound4/pulse_firmware 2.15

sound4/pulse_firmware 1.69

... and 2 more

Published Dec 22, 2025

Tracked Since Feb 18, 2026