CVE-2023-52163: Digiever NVR Command Injection

CVE ID: CVE-2023-52163

Severity: MEDIUM | CVSS: 5.9 (NVD) / 8.8 (Active Exploitation Context)

Sources: 2 different security sources

Let Me Explain What Happened

Let me walk you through something important that's happening right now with certain network video recorders. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that attackers are actively exploiting a vulnerability in Digiever DS-2105 Pro network video recorders—devices that businesses use to manage their security camera systems. Think of this like discovering that someone has found a way to break into a security guard's control room and take over the very cameras meant to protect you. What makes this particularly concerning is that these devices are no longer supported by the manufacturer, which means no security updates are coming to fix this problem.

A Bit More Detail

Here's what's going on under the hood: The vulnerability exists in a component called time_tzsetup.cgi, which handles timezone configuration settings. Attackers who have already authenticated to the device can inject malicious commands through this interface, essentially telling the device to execute whatever instructions they want. CISA added this vulnerability to their Known Exploited Vulnerabilities catalog on December 22, 2025, which is their way of saying "this isn't theoretical anymore—we're seeing real attacks in the wild."

The Technical Specifics

• Attack Vector: LOCAL (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
• Affected Products: Digiever DS-2105 Pro version 3.1.0.71-11 (end-of-life devices)
• Vulnerability Type: Command Injection via time_tzsetup.cgi
• CWE Classification: CWE-862 (Missing Authorization)
• Authentication Required: Yes (post-authentication exploitation)
• Impact: Remote code execution allowing attackers to compromise confidentiality, integrity, and availability

Understanding the Discrepancy in Severity Ratings

Now, you might notice something interesting here—the National Vulnerability Database rates this as a 5.9 (MEDIUM severity) with a LOCAL attack vector, while The Hacker News reports it as 8.8 with remote code execution capabilities. Let me explain what's happening. The NVD's rating reflects the technical characteristics of the vulnerability itself: it requires local access and has limited impact on each security dimension. However, in real-world exploitation scenarios where attackers have already gained initial access (perhaps through weak credentials or another vulnerability), this becomes a powerful tool for remote code execution. CISA's decision to add this to their KEV catalog despite the moderate CVSS score tells us that the practical exploitation risk is significantly higher than the base score suggests.

Why End-of-Life Devices Make This Worse

Here's something crucial to understand: Digiever no longer supports these DS-2105 Pro devices. Imagine if the lock manufacturer for your front door went out of business, and then someone discovered a way to pick that specific lock. You can't call the manufacturer for a fix—they're gone. That's exactly the situation here. The NVD explicitly notes that "this vulnerability only affects products that are no longer supported by the maintainer." This means there will be no official patch, no security update, and no firmware fix coming from Digiever.

What You Should Do About This

• Right Now (Emergency Actions):
  • Identify affected devices: Search your network for Digiever DS-2105 Pro devices running firmware version 3.1.0.71-11. Check your asset inventory and network scanning tools.
  • Isolate from the internet: If these devices must remain operational, remove them from direct internet access immediately. Place them behind a firewall with strict access controls.
  • Review access logs: Check authentication logs for unusual login patterns, especially access to configuration interfaces or timezone settings.
  • Change all credentials: Update passwords for all accounts on these devices, using strong, unique passwords. Assume existing credentials may be compromised.
• For the Long Term (Strategic Actions):
  • Plan for replacement: Since these are end-of-life devices with no patch available, develop a migration plan to replace them with currently-supported NVR systems. This isn't optional—it's necessary.
  • Network segmentation: If immediate replacement isn't possible, isolate these devices on a separate VLAN with no access to critical systems. Treat them as untrusted devices.
  • Monitor continuously: Implement enhanced logging and monitoring for any remaining devices. Watch for command execution attempts, configuration changes, or unusual network traffic.
  • Restrict administrative access: Limit who can access the web interface of these devices. Use VPN access only, never expose management interfaces to the public internet.
  • Document the risk: If business constraints prevent immediate replacement, formally document the risk, get management acknowledgment, and establish a timeline for remediation.

Detection Guidance

If you're a security analyst or SOC team member, here's what to look for in your environment:

• Network-based detection: Monitor for HTTP POST requests to /time_tzsetup.cgi with unusual parameters or command injection patterns (semicolons, pipes, backticks in timezone parameters)
• Log analysis: Review web server logs on Digiever devices for repeated access to configuration CGI scripts, especially from unexpected source IPs
• Behavioral indicators: Watch for new processes spawned by the web server, outbound connections from the NVR to unexpected destinations, or configuration changes outside maintenance windows
• Authentication anomalies: Look for successful logins followed immediately by access to time_tzsetup.cgi, especially from accounts that don't normally modify system settings

The Timeline of This Threat

Let me walk you through how this situation developed. The vulnerability was initially documented and assigned CVE-2023-52163 in 2023, with security researchers from Akamai and TXOne Networks publishing detailed analyses. However, it remained relatively quiet until December 22, 2025, when CISA added it to their Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The Hacker News reported on CISA's action on December 25, 2025, bringing wider attention to the threat. This timeline tells us that attackers have had years to develop and refine their exploitation techniques, and they're now actively using them against vulnerable systems.

Understanding the Broader Context

This vulnerability fits into a concerning pattern we're seeing across the IoT and physical security device landscape. Network video recorders, IP cameras, and similar devices often receive less security attention than traditional IT infrastructure, yet they sit on the same networks with access to sensitive areas. When these devices reach end-of-life, they become permanent security holes—vulnerabilities that will never be fixed. The fact that CISA prioritized this for their KEV catalog tells us that federal agencies are seeing exploitation attempts, which typically means the threat has already spread to private sector targets as well.

For Federal Agencies and Critical Infrastructure

If you're working in a federal agency or critical infrastructure organization, CISA's Binding Operational Directive 22-01 requires you to remediate KEV catalog vulnerabilities within prescribed timeframes. For this vulnerability, that means you need to take action quickly. Given that no patch exists, your remediation will likely involve device replacement or network isolation with compensating controls. Document your remediation approach and timeline, and ensure leadership understands why replacement may be the only viable long-term solution.

Going Deeper: The Technical Mechanics

For those who want to understand the technical details, command injection vulnerabilities like this occur when an application passes user-supplied input to a system shell without proper sanitization. In this case, the time_tzsetup.cgi script likely takes timezone parameters and passes them to system commands for configuration. An attacker can inject shell metacharacters (like semicolons, pipes, or backticks) to break out of the intended command and execute arbitrary code. The CWE-862 classification (Missing Authorization) suggests that the script also fails to properly verify that the user should have permission to execute these configuration changes, though post-authentication access is still required. Once an attacker achieves code execution on the NVR, they can pivot to other network resources, exfiltrate video footage, disable recording, or use the device as a foothold for further attacks.

Where I Found This Information

• National Vulnerability Database - CVE-2023-52163 (Official CVE Record)
• CISA - Known Exploited Vulnerability Catalog Alert (Credibility: 10)
• The Hacker News - CISA Flags Actively Exploited Digiever NVR Vulnerability (Credibility: 7)
• Akamai Security Research - Digiever Analysis
• TXOne Networks - Digiever Security Analysis

Note: This is automated security intelligence based on multiple sources. Always test updates carefully before applying them everywhere. Given that these devices are end-of-life with no patches available, replacement rather than patching is the recommended long-term solution.