CVE-2023-53981 – PhotoShow 3.0 contains a remote code execution ... (How to Fix)

Q: What is the severity of CVE-2023-53981?

CVE-2023-53981 has a CVSS score of 7.2 (HIGH). PhotoShow 3.0 contains a remote code execution vulnerability where authenticated administrators can inject malicious commands through the exiftran path configuration. Attackers can exploit ffmpeg settings by base64 encoding reverse shell commands and executing them via crafted video uploads. This affects PhotoShow 3.0 installations with administrator access.

📋 TL;DR

PhotoShow 3.0 contains a remote code execution vulnerability where authenticated administrators can inject malicious commands through the exiftran path configuration. Attackers can exploit ffmpeg settings by base64 encoding reverse shell commands and executing them via crafted video uploads. This affects PhotoShow 3.0 installations with administrator access.

💻 Affected Systems

Products:

PhotoShow

Versions: 3.0

Operating Systems: Linux, Windows, All platforms running PhotoShow

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator authentication. The vulnerability is in the exiftran path configuration handling during video upload processing.

📦 What is this software?

Photoshow by Thibaud Rohmer

View all CVEs affecting Photoshow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/system-level access, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Unauthorized code execution leading to data theft, website defacement, or use as pivot point for internal network attacks.

🟢

If Mitigated

Limited impact if proper access controls, input validation, and network segmentation are implemented.

🌐 Internet-Facing: HIGH - Web applications with administrator interfaces exposed to the internet are directly exploitable.

🏢 Internal Only: MEDIUM - Requires authenticated administrator access, but internal threats or compromised credentials could lead to exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires administrator credentials. Public exploit code exists showing base64-encoded reverse shell execution through ffmpeg configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Consider upgrading to a newer version if available, or implement workarounds and security controls.

🔧 Temporary Workarounds

Input Validation for exiftran Path

all

Implement strict input validation and sanitization for the exiftran path configuration parameter to prevent command injection.

Modify PhotoShow source code to validate and sanitize exiftran path input using whitelist approach

Restrict Administrator Access

all

Limit administrator accounts to trusted users only and implement strong authentication controls.

Review and reduce administrator accounts
Implement MFA for admin access
Monitor admin account activity

🧯 If You Can't Patch

Implement network segmentation to isolate PhotoShow server from critical systems
Deploy web application firewall (WAF) with command injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running PhotoShow 3.0 and review exiftran path configuration handling in source code for command injection vulnerabilities.

Check Version:

Check PhotoShow version in admin panel or review application files for version information

Verify Fix Applied:

Test video upload functionality with malicious payloads to ensure command injection is no longer possible.

📡 Detection & Monitoring

Log Indicators:

Unusual ffmpeg or exiftran command executions
Base64 encoded strings in upload requests
Suspicious video upload activity from admin accounts

Network Indicators:

Outbound connections from PhotoShow server to unknown IPs
Reverse shell connections from web server

SIEM Query:

source="photoshow.log" AND ("exiftran" OR "ffmpeg") AND command="*base64*" OR command="*sh *" OR command="*bash*"

📊 Metadata

CVE ID: CVE-2023-53981

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.57% exploit probability (67.9th percentile)

Published: December 22, 2025

Last Updated: December 27, 2025

🔗 References

https://github.com/thibaud-rohmer/PhotoShow Product
https://lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/ Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/51236 Exploit,Third Party Advisory
https://www.vulncheck.com/advisories/photoshow-remote-code-execution-via-exiftran-path-injection Exploit,Third Party Advisory
https://lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53981, you might also want to check these: