U.S. CISA adds a flaw in Digiever DS-2105 Pro to its Known Exploited Vulnerabilities catalog

U.S. CISA adds a flaw in Digiever DS-2105 Pro to its Known Exploited Vulnerabilities catalog
美国网络安全和基础设施安全局（CISA）将Digiever DS-2105 Pro设备中的一个高危命令注入漏洞（CVE-2023-52163）加入其已知被利用漏洞目录。该漏洞允许攻击者通过特制HTTP请求执行任意操作系统命令，可能导致设备完全被控制。由于该设备已停产且无补丁可用，CISA要求联邦机构于2026年1月12日前修复此漏洞，并建议私营组织也采取相应措施应对风险。 2025-12-23 08:43:40 Author: securityaffairs.com(查看原文) 阅读量:5 收藏

U.S. CISA adds a flaw in Digiever DS-2105 Pro to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini December 23, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Digiever DS-2105 Pro flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Digiever DS-2105 Pro vulnerability, tracked as CVE-2023-52163 (CVSS Score of 8.8), to its Known Exploited Vulnerabilities (KEV) catalog.

Digiever DS-2105 Pro is a network video recorder (NVR) device designed for IP camera surveillance, acting as a standalone Linux-based system that records and manages video feeds from multiple cameras over a network. Users can view live and recorded footage locally or remotely via web interfaces. These devices are commonly used in small to medium-sized security installations.

Digiever DS-2105 Pro devices running firmware version 3.1.0.71-11 are affected by a command injection vulnerability in the time_tzsetup.cgi CGI script. An attacker can trigger the flaw to inject and execute arbitrary operating system commands by sending specially crafted HTTP requests that include malicious input not properly validated or sanitized by the application.

If exploited, the vulnerability could enable a remote attacker to execute commands with the privileges of the web service, potentially leading to full compromise of the device, including unauthorized access, configuration changes, data exposure, or use of the device as a pivot point for further attacks.

The issue only affects end-of-life (EoL) products that are no longer supported or patched by Digiever, meaning no official security updates are available. As a result, affected devices remain permanently vulnerable unless mitigated through compensating controls.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by January 12, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

文章来源: https://securityaffairs.com/186021/security/u-s-cisa-adds-a-flaw-in-digiever-ds-2105-pro-to-its-known-exploited-vulnerabilities-catalog.html
如有侵权请联系:admin#unsafe.sh