The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability affecting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog, based on confirmed in-the-wild exploitation activity.

The issue, tracked as CVE-2023-52163 (CVSS score: 8.8), is a command injection weakness that enables remote code execution after authentication.

“Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi,” CISA said.

The inclusion of CVE-2023-52163 in the KEV catalog follows multiple reports from Akamai and Fortinet documenting threat actors abusing the bug to deploy botnets such as Mirai and ShadowV2, increasing the likelihood that SOC teams will encounter related network and endpoint indicators.

According to TXOne Research security researcher Ta-Lun Yen, this vulnerability, along with an arbitrary file read issue (CVE-2023-52164, CVSS score: 5.1), remains unpatched because the device has reached end-of-life (EoL), leaving organizations dependent on compensating controls instead of vendor fixes.

Successful exploitation requires an attacker to already be authenticated to the device and then issue a crafted request. With no security update available, users should avoid exposing these NVRs directly to the internet, enforce strong unique credentials by changing the default username and password, and treat any exposed instance as high-risk in SOC monitoring.

CISA is further advising Federal Civilian Executive Branch (FCEB) agencies to either implement appropriate mitigations or fully retire the affected product by January 12, 2025, to reduce exposure to ongoing exploitation and limit the attack surface across their environments.