CVE-2023-53875 is a remote code execution vulnerability identified in Gomlab's GOM Player version 2.3.90.5360. The flaw resides in the integration of the Internet Explorer component within the player, which can be exploited through DNS spoofing attacks. Attackers can craft malicious URL shortcuts that, when opened by a user, redirect the victim to attacker-controlled resources using WebDAV techniques. This redirection facilitates the execution of a reverse shell that interacts with SMB servers, allowing attackers to execute arbitrary code remotely on the victim's machine. The vulnerability does not require any prior authentication or privileges but does require user interaction to trigger the malicious URL shortcut. The attack vector leverages network-level manipulation (DNS spoofing) combined with client-side exploitation, making it a potent threat in environments where users access untrusted networks or maliciously crafted links. Although no exploits are currently reported in the wild, the complexity of the attack and the reliance on legacy Internet Explorer components embedded in GOM Player increase the risk profile. The CVSS 4.0 score of 7.5 indicates a high severity, primarily due to the potential impact on confidentiality, integrity, and availability, as well as the remote and unauthenticated nature of the attack.

For European organizations, this vulnerability poses a significant risk of remote system compromise, particularly in environments where GOM Player is widely used for multimedia playback. Successful exploitation can lead to unauthorized access, data exfiltration, lateral movement within networks via SMB interactions, and potential deployment of further malware or ransomware. The reliance on DNS spoofing means that organizations with users frequently connecting to untrusted or public networks are at higher risk. Additionally, the use of legacy Internet Explorer components increases exposure, especially in enterprises with legacy software dependencies. The compromise of endpoints can disrupt business operations, lead to data breaches, and damage organizational reputation. Given the high severity and remote exploitation capability, critical infrastructure sectors, media companies, and enterprises with large multimedia user bases in Europe should be particularly vigilant.

1. Immediately audit and inventory all systems running GOM Player version 2.3.90.5360 and restrict or disable its use until a patch is available. 2. Monitor network traffic for unusual DNS activity and implement DNS security measures such as DNSSEC to mitigate spoofing risks. 3. Restrict SMB protocol access on endpoints and network segments to only trusted devices and networks, using firewall rules and network segmentation. 4. Educate users to avoid opening suspicious URL shortcuts or links, especially those received from untrusted sources or over unsecured networks. 5. Employ endpoint detection and response (EDR) solutions to detect anomalous behaviors related to reverse shell activity and SMB interactions. 6. Once available, apply vendor patches promptly and verify the update integrity. 7. Consider disabling or isolating legacy Internet Explorer components embedded within applications if feasible. 8. Conduct regular vulnerability scanning and penetration testing focused on multimedia applications and legacy components.