What happened

CISA added CVE-2023-52163 to its Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed exploitation in the wild CISA KEV. The vulnerability affects the Digiever DS-2105 Pro and is described as a missing authorization flaw that enables command injection via the time_tzsetup.cgi endpoint NVD CVE-2023-52163. CISA’s record classifies the weakness under CWE-862 (Missing Authorization), reinforcing that access control checks are absent where required NVD CWE mapping.

Per the KEV entry, federal agencies are required to remediate by the due date and follow Binding Operational Directive (BOD) guidance or discontinue use if mitigations aren’t available CISA KEV. The vendor/product and vulnerability naming (Digiever DS-2105 Pro — Missing Authorization) are aligned across the KEV and CVE sources MITRE CVE record.

Why it matters

A missing authorization control on a CGI endpoint that adjusts device time settings is a high-value pivot point: attackers can issue privileged actions without authentication, then chain input to inject system commands on the appliance NVD CVE-2023-52163. CISA’s inclusion in KEV means real actors are leveraging this path, so exposure equals risk now, not hypothetically later CISA KEV. For organizations relying on embedded video/edge appliances, a compromised DS-2105 Pro becomes a foothold for lateral movement and persistence if not contained quickly MITRE CVE summary.

Technical detail

• Vulnerability class: Missing Authorization (CWE-862) — the device fails to enforce access control on a sensitive CGI resource NVD CWE-862.
• Affected device: Digiever DS-2105 Pro, as enumerated in the CVE and KEV entries NVD product scope CISA KEV.
• Exploitation vector: time_tzsetup.cgi — an endpoint intended for timezone/time configuration that is reachable without proper authorization and is susceptible to command injection when attacker-controlled input is processed NVD CVE-2023-52163 MITRE CVE.

In practice, this pattern typically manifests as unauthenticated HTTP requests to the CGI with crafted parameters that the backend passes to a shell or system utility, resulting in arbitrary command execution on the device NVD CVE analysis. The KEV designation confirms that threat actors have workable exploit chains for this target, reducing the window between public awareness and operational abuse to near-zero CISA KEV.

Defense

• Immediate actions (KEV compliance): Follow vendor mitigations and BOD guidance or discontinue use where no fix exists — this is explicitly required for KEV-listed issues CISA KEV required action.
• Exposure reduction: Remove DS-2105 Pro web interfaces from the public internet and restrict management to a dedicated admin network; the flaw is triggered over network-accessible CGI endpoints NVD CVE-2023-52163.
• Compensating controls: If patching is not immediately possible, enforce network ACLs to limit HTTP/HTTPS to trusted admin hosts; monitor for anomalous requests to time_tzsetup.cgi as an exploitation indicator MITRE CVE.
• Detection priorities: Hunt for outbound connections or processes spawned by the web server context on the device following HTTP hits to time_tzsetup.cgi; command injection often leaves process and network artifacts NVD CVE behavior.
• Asset inventory: Identify and isolate any DS-2105 Pro instances; align remediation tracking with the KEV due date to meet mandated timelines CISA KEV timelines.

Lyrie Verdict

This is classic unauthenticated device takeover via a CGI miscontrol — precisely the kind of edge-surface exploit that moves faster than human triage can keep up NVD CVE-2023-52163. Lyrie sensors should auto-profile Digiever appliances, watch for access to time_tzsetup.cgi, and detonate suspicious payloads in-line to confirm command-injection behavior at machine speed MITRE CVE. On confirmation, Lyrie will quarantine flows to the device and push just-in-time network policies to block the CGI route globally while flagging affected assets for patching per KEV guidance CISA KEV response.