**U.S. CISA Adds Flaw in Digiever DS-2105 Pro to Its Known Exploited Vulnerabilities Catalog**

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability, tracked as CVE-2023-52163 with a CVSS Score of 8.8, in the Digiever DS-2105 Pro network video recorder (NVR) device to its Known Exploited Vulnerabilities (KEV) catalog.

The Digiever DS-2105 Pro is a Linux-based system designed for IP camera surveillance, recording and managing video feeds from multiple cameras over a network. It allows users to view live and recorded footage locally or remotely via web interfaces, making it a popular choice for small to medium-sized security installations.

However, devices running firmware version 3.1.0.71-11 are affected by a command injection vulnerability in the time_tzsetup.cgi CGI script. An attacker can trigger this flaw by sending specially crafted HTTP requests that include malicious input not properly validated or sanitized by the application.

If exploited, the vulnerability could enable a remote attacker to execute commands with the privileges of the web service, potentially leading to full compromise of the device, including unauthorized access, configuration changes, data exposure, or use of the device as a pivot point for further attacks. The issue only affects end-of-life (EoL) products that are no longer supported or patched by Digiever, meaning no official security updates are available.

As a result, affected devices remain permanently vulnerable unless mitigated through compensating controls. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. CISA has ordered federal agencies to fix the vulnerabilities by January 12, 2026.

**What You Need to Know:**

* The Digiever DS-2105 Pro is a network video recorder (NVR) device designed for IP camera surveillance. * Devices running firmware version 3.1.0.71-11 are affected by a command injection vulnerability in the time_tzsetup.cgi CGI script. * An attacker can trigger this flaw by sending specially crafted HTTP requests that include malicious input not properly validated or sanitized by the application. * The issue only affects end-of-life (EoL) products that are no longer supported or patched by Digiever. * CISA has ordered federal agencies to fix the vulnerabilities by January 12, 2026.

**What Can You Do?**

* Review the Known Exploited Vulnerabilities catalog and address the vulnerabilities in your infrastructure. * If you use a Digiever DS-2105 Pro device, check if it is running firmware version 3.1.0.71-11. * Consider mitigating the vulnerability through compensating controls, such as network segmentation or access control lists.

Stay informed about cybersecurity threats and best practices by following me on Twitter: @securityaffairs and Facebook and Mastodon.