CVE-2023-53959
DLL Hijacking in FileZilla Client 3.63.1 Enables Remote Code Execution
Publication date: 2025-12-19
Last updated on: 2026-04-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filezilla-project | filezilla_client | 3.63.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-53959 is a DLL hijacking vulnerability in FileZilla Client version 3.63.1. The application is missing the TextShaping.dll file, which allows an attacker to place a maliciously crafted TextShaping.dll in the application's directory. When FileZilla launches, it loads this malicious DLL, enabling the attacker to execute arbitrary code remotely. Attackers can create a reverse shell payload using msfvenom and replace the missing DLL with their payload to gain control when the application starts. [2, 3]
How can this vulnerability impact me? :
This vulnerability allows a local attacker with low privileges to execute high-impact malicious code on the affected system without user interaction. By exploiting the missing TextShaping.dll, the attacker can run a reverse shell payload, effectively gaining remote code execution and control over the system where FileZilla Client 3.63.1 is installed. This can lead to unauthorized access, data theft, or further compromise of the affected machine. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the FileZilla Client installation directory for the presence or absence of the TextShaping.dll file. If the DLL is missing, it indicates the system is vulnerable to DLL hijacking. Additionally, monitoring for unexpected DLL files named TextShaping.dll in the FileZilla directory or unusual network connections (such as reverse shell attempts) can help detect exploitation. Commands to assist detection include listing the contents of the FileZilla directory (e.g., using 'dir' on Windows or 'ls' on Linux if applicable) to verify the presence of TextShaping.dll, and using network monitoring tools like 'netstat' or 'tcpview' to detect suspicious connections. For example, on Windows, you can run: 'dir "C:\Program Files\FileZilla FTP Client"\TextShaping.dll' to check for the DLL, and 'netstat -an | findstr 7777' to check for connections on the reverse shell port if known. Also, running a listener with 'nc -lvp 7777' can help detect incoming reverse shell connections if you suspect exploitation. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that the legitimate TextShaping.dll is present in the FileZilla Client installation directory to prevent DLL hijacking. If the DLL is missing, obtain the correct DLL from a trusted source or reinstall FileZilla Client version 3.63.1 or later where the issue is fixed. Restrict write permissions on the FileZilla installation folder to prevent attackers from placing malicious DLLs. Additionally, monitor and block suspicious network activity related to reverse shell connections. Avoid running FileZilla Client with elevated privileges to reduce the impact of potential exploitation. [2, 3]