U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Digiever DS-2105 Pro flaw to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Digiever DS-2105 Pro vulnerability, tracked as CVE-2023-52163 (CVSS Score of 8.8), to its Known Exploited Vulnerabilities (KEV) catalog.
Digiever DS-2105 Pro is a network video recorder (NVR) device designed for IP camera surveillance, acting as a standalone Linux-based system that records and manages video feeds from multiple cameras over a network. Users can view live and recorded footage locally or remotely via web interfaces. These devices are commonly used in small to medium-sized security installations.
Digiever DS-2105 Pro devices running firmware version 3.1.0.71-11 are affected by a command injection vulnerability in the time_tzsetup.cgi CGI script. An attacker can trigger the flaw to inject and execute arbitrary operating system commands by sending specially crafted HTTP requests that include malicious input not properly validated or sanitized by the application.
If exploited, the vulnerability could enable a remote attacker to execute commands with the privileges of the web service, potentially leading to full compromise of the device, including unauthorized access, configuration changes, data exposure, or use of the device as a pivot point for further attacks.
The issue only affects end-of-life (EoL) products that are no longer supported or patched by Digiever, meaning no official security updates are available. As a result, affected devices remain permanently vulnerable unless mitigated through compensating controls.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by January 12, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)