CVE-2023-52163

What is Digiever DS-2105 Pro?

Digiever is a Taiwanese manufacturer of network video recorders (NVRs) and IP camera systems for physical security and surveillance deployments. The DS-2105 Pro is a network-attached NVR that receives, records, and manages video feeds from IP cameras over a local network or the internet. NVR devices run embedded Linux firmware with web-based management interfaces and are often internet-accessible — either intentionally (for remote monitoring) or accidentally (due to port forwarding configurations). CCTV and NVR devices are a recurring target for Mirai botnet variants and other IoT malware campaigns: they are always-on, rarely receive firmware updates, run Linux, and provide useful compute and network resources for DDoS infrastructure or proxy traffic.

Overview

CVE-2023-52163 is a missing authorization vulnerability in the Digiever DS-2105 Pro NVR that allows a low-privilege authenticated attacker to execute OS commands via the time_tzsetup.cgi endpoint, which handles timezone configuration. Because authorization checks on this endpoint are absent or insufficient, an attacker with any valid login (including guest or viewer accounts) can invoke the timezone configuration CGI script with injected OS commands. CISA added it to the Known Exploited Vulnerabilities catalog in December 2025, confirming active botnet exploitation.

Affected Versions

Technical Details

CWE-862 (Missing Authorization). The DS-2105 Pro's web interface includes time_tzsetup.cgi, a CGI script that processes timezone configuration requests. This endpoint should require administrative authorization to invoke, but authorization enforcement is absent or bypassed. A low-privilege authenticated user can send a crafted HTTP request to time_tzsetup.cgi with OS command characters injected into the parameter values that are passed to the underlying Linux shell.

Command injection via CGI timezone handlers is a well-established pattern in embedded Linux device firmware: timezone settings often invoke OS-level tzdata or timedatectl commands, and insufficient input sanitization in the CGI wrapper allows injecting arbitrary commands alongside legitimate timezone values. Successful exploitation provides OS command execution under the web server process user (typically root on embedded Linux NVRs), enabling backdoor installation, botnet agent deployment, and access to recorded video data.

Discovery

Identified by security researchers and disclosed in February 2025. The late CVE publication date (2025) despite the CVE ID indicating a 2023 vulnerability reflects the delayed CVE assignment timeline common for embedded device vulnerabilities.

Exploitation Context

NVR and CCTV devices from multiple vendors are systematically exploited by Mirai botnet variants that maintain large databases of known CGI vulnerabilities across embedded Linux devices. The KEV addition in December 2025 confirms that CVE-2023-52163 was incorporated into active botnet scanning and exploitation campaigns. Internet-accessible NVRs are identified at scale by botnet operators using Shodan and similar scanning infrastructure, then automatically exploited to deploy botnet agents. Compromised NVRs are used for DDoS attacks and as proxy relay nodes.

Remediation

1. Apply the firmware update from Digiever's security advisory for the DS-2105 Pro immediately.
2. If a firmware update is not available or the device is end-of-life: remove the device from internet-accessible networks and restrict access to trusted local networks only.
3. Disable remote access via port forwarding or direct internet exposure — NVR management and RTSP streams should be accessed via VPN rather than direct internet exposure.
4. Check the NVR's active network connections and running processes for evidence of botnet malware (unexpected outbound connections to external IPs, high network utilization without active recording).
5. Change all NVR user account passwords — default credentials and weak passwords compound the PR:L exploit risk.