The U.S. Cybersecurity and Infrastructure Safety Company (CISA) added a security flaw impacting Digiever DS-2105 Professional community video recorders (NVRs) to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability, tracked as CVE-2023-52163 (CVSS rating: 8.8), pertains to a case of command injection that enables post-authentication distant code execution.
“Digiever DS-2105 Professional incorporates a lacking authorization vulnerability which may enable for command injection through time_tzsetup.cgi,” CISA stated.
The addition of CVE-2023-52163 to the KEV catalog comes within the a number of experiences from Akamai and Fortinet concerning the exploitation of the flaw by menace actors to ship botnets like Mirai and ShadowV2.
In accordance with TXOne Analysis security researcher Ta-Lun Yen, the vulnerability, alongside an arbitrary file learn bug (CVE-2023-52164, CVSS rating: 5.1), stays unpatched as a result of system reaching end-of-life (EoL) standing.
Profitable exploitation requires an attacker to be logged into the system and carry out a crafted request. Within the absence of a patch, it is suggested that customers keep away from exposing the system to the web and alter the default username and password.
CISA can be recommending that Federal Civilian Government Department (FCEB) businesses apply the mandatory mitigations or discontinue use of the product by January 12, 2025, to safe their community from energetic threats.
