CISA Alerts: Digiever NVR Botnet Exploitation via CVE-2023-52163
Executive Summary
In December 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged an actively exploited vulnerability (CVE-2023-52163, CVSS 8.8) in Digiever DS-2105 Pro network video recorders. Attackers exploited a missing authorization flaw to perform remote code execution via command injection, requiring authentication. Security researchers confirmed that this vulnerability enabled the deployment of IoT botnets such as Mirai and ShadowV2, allowing attackers to gain persistent control and leverage compromised devices for further attacks. The product’s end-of-life status means no patch is available, compounding organizational risk for operators of affected models.
This incident is part of a broader trend of threat actors targeting unpatched and unsupported IoT devices for malware delivery and botnet growth. With critical infrastructure and surveillance systems at risk, timely mitigation is paramount amid surging exploitation and regulatory pressure for proactive defense.
Why This Matters Now
Attackers are rapidly exploiting unpatched, end-of-life IoT devices to deliver evolving botnets, making real-time security visibility and segmentation critical for organizations with legacy or unmanaged endpoints. Regulatory urgency, including CISA-imposed deadlines, increases immediate pressure to mitigate or retire vulnerable assets.
Attack Path Analysis
The attacker gained initial access to the Digiever NVR through a post-authentication command injection vulnerability (CVE-2023-52163) after obtaining valid credentials, exploiting unpatched devices exposed to the internet. Escalating privileges enabled them to execute unauthorized commands on the device. Lateral movement may have been attempted to discover and compromise other vulnerable endpoints or internal systems. The attacker established command and control to deploy botnet malware, such as Mirai or ShadowV2, enabling remote management. Exfiltration or abuse of local resources may have occurred, such as outbound communication to C2 servers or integration into broader attack campaigns. The final impact included device compromise, possible data loss, and the victim’s network being leveraged for broader botnet activities.
Kill Chain Progression
Initial Compromise
Description
Attacker logged into an internet-exposed Digiever NVR using default or stolen credentials, then exploited the command injection flaw (CVE-2023-52163) in a CGI endpoint to gain remote code execution.
Related CVEs
CVE-2023-52163
CVSS 8.8A command injection vulnerability in Digiever DS-2105 Pro 3.1.0.71-11 devices allows authenticated remote attackers to execute arbitrary code via time_tzsetup.cgi.
Affected Products:
Digiever DS-2105 Pro – 3.1.0.71-11
Exploit Status:
exploited in the wildReferences:
https://nvd.nist.gov/vuln/detail/CVE-2023-52163https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-52163https://www.akamai.com/blog/security-research/digiever-fix-that-iot-thinghttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-deviceshttps://www.txone.com/blog/digiever-fixes-sorely-needed/CVE-2023-52164
CVSS 5.1An arbitrary file read vulnerability in Digiever DS-2105 Pro 3.1.0.71-11 devices allows authenticated remote attackers to read sensitive files via crafted requests.
Affected Products:
Digiever DS-2105 Pro – 3.1.0.71-11
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Valid Accounts
Exploitation of Remote Services
Develop Capabilities: Malware
Abuse Elevation Control Mechanism
Account Manipulation
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access to System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy, Access Controls, and Security Maintenance
Control ID: 500.03, 500.07, 500.13
NIS2 Directive – Incident Handling and Security of Network/Information Systems
Control ID: Art. 21(2)(d) & (e)
CISA Zero Trust Maturity Model 2.0 – Device Security and Identity Management
Control ID: Identity, Devices, Network/Security Ops (Multiple)
DORA (Digital Operational Resilience Act) – ICT Risk Management and Vulnerability Handling
Control ID: Art. 9(2) & 10
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Security/Investigations
Physical security firms using Digiever NVR devices face critical remote code execution risks from unpatched vulnerabilities enabling Mirai botnet deployment.
Government Administration
Federal agencies must discontinue vulnerable Digiever systems by January 12, 2025, as CISA mandates mitigation against active botnet exploitation threats.
Banking/Mortgage
Financial institutions with surveillance systems face compliance violations and lateral movement risks from compromised network video recorders enabling malware deployment.
Health Care / Life Sciences
Healthcare facilities risk HIPAA violations and patient safety compromises through surveillance system vulnerabilities allowing unauthorized access and botnet infections.
Sources
- CISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Executionhttps://thehackernews.com/2025/12/cisa-flags-actively-exploited-digiever.htmlVerified
- CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalogVerified
- Digiever Fix That IoT Thinghttps://www.akamai.com/blog/security-research/digiever-fix-that-iot-thingVerified
- ShadowV2 Casts a Shadow Over IoT Deviceshttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devicesVerified
- Digiever Fixes Sorely Neededhttps://www.txone.com/blog/digiever-fixes-sorely-needed/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
A cloud-native zero trust security fabric with strong segmentation, visibility, and egress policy enforcement would have limited exploitability of unpatched devices, detected malicious traffic, and controlled C2 botnet activities, reducing attacker dwell time and lateral spread.
Control: Cloud Firewall (ACF)
Mitigation: Perimeter firewall reduces public exposure of legacy devices.
Control: Threat Detection & Anomaly Response
Mitigation: Abnormal post-authentication activity triggers alerts for possible exploitation.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation limits network paths and blocks unauthorized east-west movement.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound malware communications are detected or blocked via egress filtering.
Control: Inline IPS (Suricata)
Mitigation: Signatures block known malicious exfiltration traffic patterns.
Central policy management provides rapid remediation and response to compromised devices.
Impact at a Glance
Affected Business Functions
- Surveillance Monitoring
- Security Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of surveillance footage and sensitive security data.
Recommended Actions
Key Takeaways & Next Steps
- • Remove or properly segment EoL and unpatchable devices from all cloud and hybrid networks, leveraging network-level microsegmentation.
- • Implement strict inbound and outbound firewall and egress filtering to block unauthorized access and malware communications from critical and legacy assets.
- • Enable anomaly detection and real-time threat monitoring to identify post-authentication exploitation and abnormal device behaviors.
- • Centralize visibility and enforce security policies across all clouds to rapidly respond to incidents and isolate compromised endpoints.
- • Mandate credential hardening and regular access reviews for all exposed services and devices to reduce risk of credential-based attacks.
