CVE-2023-53894
Unknown Unknown - Not Provided
Authentication Bypass in phpfm 1.7.9 Enables Remote Code Upload

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: VulnCheck

Description
phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53894
EUVD
EUVD-2023-60196
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpfm phpfm 1.7.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1390 The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in phpfm 1.7.9 is an authentication bypass caused by PHP's loose type comparison during password hash validation. Attackers can craft password hashes starting with prefixes like '0e' or '00e' which PHP interprets as zero in scientific notation. Because the application uses loose comparison (==) to check the password hash against the logged-on status, these specially crafted hashes evaluate as true, allowing attackers to bypass authentication without knowing the real password. This lets them log in and upload malicious PHP files to the server. [2]

Impact Analysis

This vulnerability allows attackers to bypass authentication and gain unauthorized access to the phpfm application. Once authenticated, attackers can upload malicious PHP files, such as web shells, to the server. This can lead to remote code execution, allowing attackers to execute arbitrary commands on the server, potentially compromising the entire system and its data. [2]

Detection Guidance

Detection can involve checking for unauthorized access or uploaded PHP shell files on the server, especially files like 'shell.php' in web-accessible directories. Monitoring HTTP POST requests to the phpfm endpoint that include suspicious PHP payloads can help identify exploitation attempts. Since the vulnerability involves authentication bypass via crafted password hashes starting with '0e' or '00e', reviewing authentication logs for unusual login patterns or successful logins without valid credentials is useful. Specific commands are not provided in the resources, but monitoring web server logs for POST requests to phpfm and scanning for unexpected PHP files in upload directories are recommended. [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the phpfm application, disabling or removing the vulnerable phpfm versions (1.6.1 through 1.7.9), and preventing file uploads if possible. Applying strict type comparison in the authentication logic or updating to a patched version when available is critical. Additionally, monitoring and removing any uploaded malicious PHP files and restricting execution permissions in upload directories can reduce risk. Using network controls to block unauthorized access to the phpfm endpoint and reviewing server configurations to limit PHP execution in upload folders are also recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53894. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart