关键信息 漏洞名称: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Remote Command Injection 严重程度: CRITICAL 发布日期: December 22, 2025 CVE编号: CVE-2023-53963 CVSS评分: 9.3 CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 描述: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x 存在一个未授权的OS命令注入漏洞,允许远程攻击者通过'password'参数注入任意shell命令,攻击者可以通过在login.php和index.php脚本中注入shell命令来以web服务器的权限执行命令。 相关漏洞类型: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 参考链接: - ExploitDB-51173 - SOUND4 Official Product Homepage - Zero Science Lab Disclosure (ZSL-2022-5738) 提交者: LiquidWorm as Gjoko Krstic of Zero Science Lab 受影响的版本: - Sound4 Impact/Pulse/First Version 2: 1.1/2.15, Version 2: 1.1/2.15 - Sound4 Impact/Pulse Eco 1.16 - Sound4 BigVoice4 1.2 - Sound4 BigVoice2 1.30 - Sound4 airStream 1.1/2.4.29 - Sound4 SolfiVM2 1.11