CVE-2023-53923 – CVE-2023-53923 is a critical privilege escalati... (How to Fix)

Q: What is the severity of CVE-2023-53923?

CVE-2023-53923 has a CVSS score of 9.8 (CRITICAL). CVE-2023-53923 is a critical privilege escalation vulnerability in UliCMS that allows unauthenticated attackers to create administrative accounts with full system access. Attackers can exploit this by sending a crafted POST request to the UserController endpoint. All organizations running vulnerable versions of UliCMS are affected.

📋 TL;DR

CVE-2023-53923 is a critical privilege escalation vulnerability in UliCMS that allows unauthenticated attackers to create administrative accounts with full system access. Attackers can exploit this by sending a crafted POST request to the UserController endpoint. All organizations running vulnerable versions of UliCMS are affected.

💻 Affected Systems

Products:

UliCMS

Versions: 2023.1 and potentially earlier versions

Operating Systems: All operating systems running UliCMS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Ulicms by Ulicms

View all CVEs affecting Ulicms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers gain administrative control, can execute arbitrary code, steal sensitive data, modify content, and maintain persistent access.

🟠

Likely Case

Attackers create administrative accounts to gain full control over the CMS, potentially defacing websites, stealing user data, or installing backdoors.

🟢

If Mitigated

If proper network segmentation and access controls are in place, impact may be limited to the CMS instance itself rather than broader infrastructure.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable without authentication and affects internet-facing web applications, making them prime targets for automated attacks.

🏢 Internal Only: MEDIUM - While still serious, internal-only systems have reduced attack surface compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on Exploit-DB and other sources, making this easily weaponizable by attackers with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UliCMS 2023.2 or later

Vendor Advisory: https://en.ulicms.de/

Restart Required: No

Instructions:

1. Backup your UliCMS installation and database. 2. Download the latest version from the official UliCMS website. 3. Replace all files with the updated version. 4. Verify the update was successful by checking the version in the admin panel.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

all

Temporarily block access to the UserController endpoint via web server configuration or WAF rules

# Apache: RewriteRule ^dist/admin/index\.php$ - [F]
# Nginx: location ~ ^/dist/admin/index\.php$ { deny all; }

Implement IP restriction

all

Restrict access to admin endpoints to trusted IP addresses only

# Apache: <Location /dist/admin/> Require ip 192.168.1.0/24 </Location>
# Nginx: allow 192.168.1.0/24; deny all;

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the UliCMS instance
Deploy a web application firewall (WAF) with rules to block the specific exploit pattern

🔍 How to Verify

Check if Vulnerable:

Check if your UliCMS version is 2023.1 or earlier. Also test by attempting to access /dist/admin/index.php with POST parameters for user creation.

Check Version:

Check the UliCMS admin dashboard or examine the CHANGELOG.md file in the installation directory

Verify Fix Applied:

After updating, verify the version shows 2023.2 or later in the admin panel. Test that unauthenticated POST requests to the UserController endpoint no longer create admin accounts.

📡 Detection & Monitoring

Log Indicators:

POST requests to /dist/admin/index.php with user creation parameters
Unusual admin account creation events
Failed authentication attempts followed by successful admin actions

Network Indicators:

HTTP POST requests to /dist/admin/index.php containing parameters like 'username', 'password', 'email' from unauthenticated sources

SIEM Query:

source="web_server_logs" AND (uri="/dist/admin/index.php" AND method="POST" AND (param="username" OR param="password" OR param="email"))

📊 Metadata

CVE ID: CVE-2023-53923

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

EPSS Score: 0.16% exploit probability (37.5th percentile)

Published: December 17, 2025

Last Updated: December 18, 2025

🔗 References

https://web.archive.org/web/20230314183734/https://en.ulicms.de/ Product
https://www.exploit-db.com/exploits/51433 Exploit
https://www.vulncheck.com/advisories/ulicms-privilege-escalation-via-unauthenticated-admin-account-creation Third Party Advisory
https://www.exploit-db.com/exploits/51433 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53923, you might also want to check these: