The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw affecting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog. This significant development underscores the ongoing threat posed by unpatched NVR vulnerabilities, with evidence indicating that attackers are actively exploiting CVE-2023-52163.
The vulnerability, identified as CVE-2023-52163, carries a high CVSS score of 8.8, signifying its severity. It enables post-authentication remote code execution through command injection. CISA stated that the flaw is present in Digiever DS-2105 Pro devices and can be triggered via a missing authorization check in the time_tzsetup.cgi file.
Digiever NVR Vulnerability Exploited
This official acknowledgment by CISA follows multiple reports from cybersecurity firms Akamai and Fortinet. These reports documented the exploitation of CVE-2023-52163 by threat actors. The attackers have been observed leveraging this security gap to deploy botnets, including well-known malware such as Mirai and ShadowV2.
Additionally, a related arbitrary file read vulnerability, CVE-2023-52164 (CVSS score: 5.1), has also been identified in these devices. According to Ta-Lun Yen, a security researcher at TXOne Research, both vulnerabilities remain unpatched primarily because the Digiever DS-2105 Pro has reached its end-of-life (EoL) status, meaning official vendor support and security updates have ceased.
Exploiting CVE-2023-52163 requires an attacker to first gain authenticated access to the device. Subsequently, they can send a specifically crafted request to trigger the command injection. Given the lack of available patches due to the EoL status, users are strongly advised to implement immediate security measures. These include preventing any direct internet exposure of the affected NVRs and changing the default administrative credentials to strong, unique passwords.
Implications for Network Security
The inclusion of CVE-2023-52163 in CISA’s KEV catalog mandates specific actions for Federal Civilian Executive Branch (FCEB) agencies. CISA has set a deadline of January 12, 2025, for these agencies to either apply necessary mitigations or completely discontinue the use of the Digiever DS-2105 Pro devices. This directive aims to protect federal networks from ongoing exploitation by malicious actors leveraging this known security weakness.
The exploitation of NVR vulnerabilities like CVE-2023-52163 presents a significant risk to organizations relying on these devices for surveillance and network infrastructure. Compromised NVRs can serve as entry points for broader network intrusions, leading to data breaches, operational disruptions, and the use of these devices in distributed denial-of-service (DDoS) attacks.
Looking ahead, the focus for organizations using Digiever DS-2105 Pro NVRs remains on proactive risk management given the absence of vendor-supplied patches. The January 12, 2025, deadline set by CISA for FCEB agencies highlights the urgency in addressing this known exploited vulnerability. The ongoing threat landscape, characterized by the persistent exploitation of IoT and network-attached devices, suggests that vigilance and alternative security solutions will be crucial for securing sensitive surveillance systems.