CVE-2023-53875
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-18
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gomlab | gom_player | 2.3.90.5360 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-53875 is a remote code execution vulnerability in GOM Player version 2.3.90.5360 caused by an insecure Internet Explorer component embedded in the player. Attackers exploit this by performing DNS spoofing to redirect victims to a malicious URL shortcut combined with a WebDAV technique. This allows the attacker to run arbitrary code remotely, including establishing a reverse shell via SMB server interaction, effectively taking control of the victim's system. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary code on your system remotely without requiring privileges but needing user interaction. Through DNS spoofing and malicious payload delivery, attackers can gain a reverse shell on your machine, potentially leading to full system compromise, data theft, or further network attacks. Given GOM Player's wide usage, this poses a significant security risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious DNS spoofing activity and unusual SMB server interactions related to GOM Player. Network administrators can look for DNS requests redirected to unauthorized IP addresses, especially for the domain 'playinfo.gomlab.com'. Additionally, monitoring for unexpected SMB connections or WebDAV traffic originating from systems running GOM Player 2.3.90.5360 may indicate exploitation attempts. Specific commands to assist detection include: 1) Using 'tcpdump' or 'Wireshark' to capture and analyze DNS traffic for spoofing signs, e.g., 'tcpdump -i <interface> port 53'. 2) Checking SMB connections with 'netstat -an | findstr 445' on Windows to identify unusual SMB sessions. 3) Using 'arp -a' to detect ARP spoofing. 4) Employing DNS spoof detection tools like 'dnsspoof' in monitoring mode. These steps help identify the attack chain involving DNS spoofing and SMB server interaction as described in the exploit. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating or patching GOM Player to a version that addresses this vulnerability, if available. 2) Restricting or blocking network traffic related to SMB (port 445) and WebDAV protocols from untrusted sources to prevent exploitation. 3) Implementing DNS security measures such as DNSSEC to prevent DNS spoofing attacks. 4) Monitoring and blocking suspicious DNS and ARP spoofing activities on the network. 5) Educating users to avoid opening suspicious URL shortcuts or files, especially those that may trigger the vulnerable IE component within GOM Player. 6) Considering disabling or restricting the use of the Internet Explorer component within GOM Player if possible. These steps reduce the risk of exploitation via the described attack chain involving DNS spoofing, malicious URL shortcuts, and SMB server interaction. [1, 2]