"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities ( KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code execution. "Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi," CISA said."
"The addition of CVE-2023-52163 to the KEV catalog comes in the multiple reports from Akamai and Fortinet about the exploitation of the flaw by threat actors to deliver botnets like Mirai and ShadowV2. According to TXOne Research security researcher Ta-Lun Yen, the vulnerability, alongside an arbitrary file read bug (CVE-2023-52164, CVSS score: 5.1), remains unpatched due to the device reaching end-of-life (EoL) status."
CISA added CVE-2023-52163 to the Known Exploited Vulnerabilities catalog due to evidence of active exploitation. The flaw is a post-authentication command injection enabling remote code execution via a missing authorization in time_tzsetup.cgi. Threat actors have used the vulnerability to install botnets such as Mirai and ShadowV2, as reported by Akamai and Fortinet. An additional arbitrary file read vulnerability (CVE-2023-52164) remains unpatched. Both issues persist because the Digiever DS-2105 Pro reached end-of-life. Successful exploitation requires an authenticated session and a crafted request. Users should avoid internet exposure, change default credentials, and agencies must mitigate or discontinue use by January 12, 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]