The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw affecting the Digiever DS-2105 Pro network video recorder (NVR) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This vulnerability is tracked as CVE-2023-52163 (CVSS score: 8.8) and is related to a command injection case that allows remote code execution after authentication.
“Digiever DS-2105 Pro has an insufficient authentication vulnerability that could allow command injection via time_tzsetup.cgi,” CISA said.
The addition of CVE-2023-52163 to the KEV catalog comes amid multiple reports from Akamai and Fortinet regarding the exploitation of the flaw by threat actors to distribute botnets such as Mirai and ShadowV2.
According to Ta-Lunyen, a security researcher at TXOne Research, this vulnerability, along with an arbitrary file read bug (CVE-2023-52164, CVSS score: 5.1), remains unpatched as the device has reached End of Life (EoL) status.
A successful exploit would require an attacker to log into the device and execute a crafted request. Without a patch, we recommend that you avoid exposing your device to the internet and change the default username and password.
CISA also recommends that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations to protect their networks from active threats or retire their products by January 12, 2025.
Source link
