CVE-2023-52163

Name of the Vulnerable Software and Affected Versions Digiever DS-2105 Pro versions 3.1.0.71-11 Digiever DS-2105 Pro (affected versions not specified)

Description The Digiever DS-2105 Pro network video recorder (NVR) has a flaw related to missing authorization, allowing for command injection via the

time tzsetup.cgi

endpoint. This allows an attacker, after successful authentication, to execute arbitrary commands on the system. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this issue to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Researchers have linked exploitation attempts to the Mirai and ShadowV2 botnets. The device is reported to be end-of-life and no longer supported by the vendor. The vulnerability has a CVSS score of 8.8 (High).

API Endpoints

/time tzsetup.cgi

Recommendations Digiever DS-2105 Pro versions 3.1.0.71-11: Given that the device is end-of-life and unpatched, avoid exposing the NVR to the internet. Digiever DS-2105 Pro versions 3.1.0.71-11: Change default usernames and passwords to enhance security. Digiever DS-2105 Pro (affected versions not specified): Isolate or segment the affected NVR/DVR management interfaces. Digiever DS-2105 Pro (affected versions not specified): Implement least-privilege controls. At the moment, there is no information about a newer version that contains a fix for this vulnerability.