Dec 25, 2025Ravie LakshmananVulnerability / Endpoint Safety
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) added a safety flaw impacting Digiever DS-2105 Professional community video recorders (NVRs) to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability, tracked as CVE-2023-52163 (CVSS rating: 8.8), pertains to a case of command injection that permits post-authentication distant code execution.
“Digiever DS-2105 Professional accommodates a lacking authorization vulnerability which might permit for command injection through time_tzsetup.cgi,” CISA stated.
The addition of CVE-2023-52163 to the KEV catalog comes within the a number of studies from Akamai and Fortinet in regards to the exploitation of the flaw by menace actors to ship botnets like Mirai and ShadowV2.
In line with TXOne Analysis safety researcher Ta-Lun Yen, the vulnerability, alongside an arbitrary file learn bug (CVE-2023-52164, CVSS rating: 5.1), stays unpatched as a result of gadget reaching end-of-life (EoL) standing.
Profitable exploitation requires an attacker to be logged into the gadget and carry out a crafted request. Within the absence of a patch, it is suggested that customers keep away from exposing the gadget to the web and alter the default username and password.
CISA can also be recommending that Federal Civilian Government Department (FCEB) companies apply the mandatory mitigations or discontinue use of the product by January 12, 2025, to safe their community from energetic threats.
