CVE-2023-52163
Published: 03 February 2025
Summary
CVE-2023-52163 is a high-severity Missing Authorization (CWE-862) vulnerability in Digiever Ds-2105 Pro Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SA-22 (Unsupported System Components).
Deeper analysis
CVE-2023-52163 is a command injection vulnerability in the time_tzsetup.cgi endpoint of Digiever DS-2105 Pro devices running firmware version 3.1.0.71-11. The flaw stems from missing authorization checks (CWE-862) that allow improper handling of user-supplied input, and the vendor has stated that the affected products are no longer supported.
An attacker with low-privileged network access can supply crafted parameters to the CGI script and execute arbitrary commands on the device. Successful exploitation yields full control over confidentiality, integrity, and availability of the affected system, consistent with the CVSS 8.8 rating.
Public advisories from Akamai, TXOne, and Fortinet document the issue and note the lack of vendor patches for unsupported hardware, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog. The EPSS score rose sharply from low values after disclosure to a peak of 0.7554 in April 2026 before receding to the current 0.7266, indicating sustained post-disclosure exploitation interest against these IoT devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-56836
Vulnerability details
Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
- KEV Date Added
- 22 December 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in publicly exposed CGI endpoint enables remote arbitrary Unix shell command execution on the device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Prohibits use of unsupported system components like the end-of-support Digiever DS-2105 Pro devices, eliminating exposure to this unpatchable command injection vulnerability.
Enforces approved authorizations for access to the time_tzsetup.cgi endpoint, directly countering the missing authorization (CWE-862) that enables low-privileged attackers to inject commands.
Validates inputs to the time_tzsetup.cgi component to detect and reject command injection payloads, preventing arbitrary command execution.