CVE-2023-52163

HighCISA KEVActive ExploitationPublic PoC

Published: 03 February 2025

Published

03 February 2025

Modified

24 December 2025

KEV Added

22 December 2025

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.6950 98.7th percentile

Risk Priority 79 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-52163 is a high-severity Missing Authorization (CWE-862) vulnerability in Digiever Ds-2105 Pro Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SA-22 (Unsupported System Components).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits use of unsupported system components like the end-of-support Digiever DS-2105 Pro devices, eliminating exposure to this unpatchable command injection vulnerability.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to the time_tzsetup.cgi endpoint, directly countering the missing authorization (CWE-862) that enables low-privileged attackers to inject commands.

SI-10 Information Input Validation good match

prevent

Validates inputs to the time_tzsetup.cgi component to detect and reject command injection payloads, preventing arbitrary command execution.

NVD Description

Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Deeper analysisAI

CVE-2023-52163 is a command injection vulnerability in the time_tzsetup.cgi component of Digiever DS-2105 Pro devices running firmware version 3.1.0.71-11. This issue, linked to CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It exclusively affects products that are no longer supported by the maintainer.

A low-privileged remote attacker with network access can exploit this vulnerability by sending crafted requests to the time_tzsetup.cgi endpoint, enabling arbitrary command execution on the device. Successful exploitation grants high-impact confidentiality, integrity, and availability consequences, potentially leading to full device compromise.

Advisories from sources like Akamai, TXOne Networks, CISA, and Fortinet highlight the need for mitigation in Digiever IoT devices, but no patches are available due to end-of-support status. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, underscoring active real-world exploitation risks for unpatched deployments.