Log in
A critical command injection flaw in DigiEver surveillance devices is being actively exploited by multiple botnets. The vendor has refused to patch, leaving thousands of devices permanently vulnerable.
Security cameras designed to protect homes and businesses are being turned into weapons. A critical vulnerability in DigiEver digital video recorders (DVRs) is under active exploitation by at least two Mirai-variant botnets, and the manufacturer has made clear it will never release a fix. For organizations still running these devices, the clock is ticking.
CVE-2023-52163 is a command injection vulnerability affecting DigiEver DVR devices, including the DS-2105 Pro running firmware version 3.1.0.71-11. The flaw was discovered by security researchers at TXOne Networks in July 2023, who promptly notified DigiEver of the issue. The vendor's response was blunt: the products are End-of-Life (EOL) and have been for five years. No patch would be forthcoming.
That decision has had consequences. By December 2023, threat actors had discovered and weaponized the vulnerability. Researchers at Akamai's Security Intelligence Response Team (SIRT) documented active exploitation by a Mirai-type botnet they dubbed "Hail Cock." More recently, Fortinet's FortiGuard Labs has observed a separate botnet called "ShadowV2" leveraging the same flaw to conscript vulnerable DVRs into its army of compromised devices.
The vulnerability has since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, a clear signal to federal agencies and the broader security community that this threat requires immediate attention. CISA's deadline for federal agencies to address the vulnerability is January 12, 2026—though for devices that will never receive a patch, "addressing" effectively means pulling the plug.
At its core, CVE-2023-52163 is a textbook command injection vulnerability, the kind security professionals have been warning about for decades. The flaw resides in a CGI script called time_tzsetup.cgi, which handles time synchronization settings for the DVR. This script is accessible through a gateway endpoint at /cgi-bin/cgi_main.cgi.
The vulnerability exists because the script takes user-supplied input from the ntp parameter—intended to specify a Network Time Protocol server address—and passes it directly to a system shell command without any sanitization. An attacker can append shell metacharacters such as semicolons (;), pipes (|), or backticks (`) to inject arbitrary commands that the device's operating system will dutifully execute.
There is a notable discrepancy in how different researchers classify the authentication requirements for this attack. TXOne Networks, which discovered the vulnerability, describes it as a post-authentication flaw, meaning an attacker would first need valid credentials to access the device's management interface. However, CISA has classified the vulnerability under CWE-862 (Missing Authorization), suggesting the vulnerable script itself may not properly verify that a user is authenticated before processing requests. Fortinet's observations of in-the-wild exploitation appear to confirm that attackers are exploiting this flaw without authentication, potentially by bypassing or ignoring any authentication checks at the gateway level.
The practical implication is stark: if a DigiEver DVR's management interface is accessible from the internet, it can likely be compromised with a single HTTP request.
The exploitation process is devastatingly simple:
/cgi-bin/cgi_main.cgi endpoint. The request body contains two critical parameters:ntp parameter value and passing it to a shell command. The shell interprets the semicolon as a command separator and executes the attacker's injected command with the privileges of the web server process.binary.sh) from an attacker-controlled server. This script fetches architecture-specific Mirai malware binaries and installs them on the device, enrolling it into the botnet.TXOne Networks has published a Snort 3 rule that can detect exploitation attempts:
1alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (2 msg:"WEB-CGI Digiever DS-2105 Pro Command Injection";3 flow:to_server,established;4 http_uri;5 content:"/cgi-bin/cgi_main.cgi";6 http_client_body;7 content:"cgiName=time_tzsetup.cgi";8 pcre:"/ntp=[0-9a-zA-Z\\.\\s]*[|`\\;]/";9 reference:cve,2023-52163;10 classtype:web-application-attack;11 sid:1000001;12 rev:1;13)This rule looks for POST requests to the vulnerable CGI gateway where the request body contains the time_tzsetup.cgi target and an ntp parameter followed by shell metacharacters—the telltale signature of an exploitation attempt.
DigiEver | DS-2105 Pro | 3.1.0.71-11 (confirmed) | None (EOL) |
DigiEver | DVRs (various models) | Unknown (likely all) | None (EOL) |
The full scope of affected products remains unclear, and this ambiguity is itself a significant concern. TXOne researchers noted that DigiEver appears to use a shared codebase across its DVR product line, meaning the vulnerability likely affects far more devices than just the DS-2105 Pro. However, without cooperation from the vendor, a definitive list of affected models and firmware versions cannot be established.
DigiEver DVRs are typically deployed in small-to-medium business environments for video surveillance purposes. These devices record and store security camera footage, often containing sensitive visual data of employees, customers, and business operations. They are frequently found in retail locations, small offices, warehouses, and residential properties.
The devices are often managed remotely, which unfortunately means their management interfaces are frequently exposed to the internet—either intentionally for convenience or unintentionally due to misconfigured network equipment. This exposure makes them prime targets for automated scanning and exploitation by botnet operators.
This is not a theoretical threat. Multiple security organizations have confirmed active exploitation in the wild:
Hail Cock Botnet: First documented by Akamai SIRT around December 19, 2023, this Mirai-variant botnet was observed actively scanning for and exploiting CVE-2023-52163 to compromise DigiEver DVRs. The compromised devices are then used to conduct distributed denial-of-service (DDoS) attacks.
ShadowV2 Botnet: Fortinet's FortiGuard Labs has documented a separate campaign by the ShadowV2 botnet, which also leverages this vulnerability. Their research identified specific infrastructure used by the attackers:
silverpath[.]shadowstresser[.]info81[.]88[.]18[.]108198[.]199[.]72[.]27binary.shFortinet has also published SHA256 hashes for ShadowV2 malware samples:
0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffedfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f836f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6Successful exploitation of CVE-2023-52163 grants attackers complete control over the compromised DVR. The potential consequences are severe:
The CVSS 3.1 score for this vulnerability is 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This reflects the network-accessible attack vector, low complexity, and complete impact on confidentiality, integrity, and availability. Some analyses suggest the score should be even higher (9.8) if the vulnerability can be exploited without authentication, as in-the-wild attacks suggest.
The uncomfortable truth is that there is no patch coming for CVE-2023-52163. DigiEver has made clear these products are End-of-Life and will not be updated. Organizations must take alternative action immediately.
Security teams should review web server access logs for exploitation indicators:
/cgi-bin/cgi_main.cgicgiName=time_tzsetup.cgintp parameter values containing shell metacharacters (|, ;, `)ntp parameterCVE-2023-52163 exemplifies a growing crisis in IoT security: the abandoned device problem. When vendors declare products End-of-Life and refuse to issue security patches, customers are left with equipment that will remain vulnerable forever. In this case, DigiEver's products have apparently been EOL for five years, yet they remain deployed in countless environments, quietly recording video while presenting an open door to attackers.
The situation is made worse by the nature of DVR deployments. These devices are often installed by third-party contractors or previous IT staff and then forgotten. They sit in closets and server rooms, dutifully recording footage while running ancient, unpatched firmware. When their management interfaces are exposed to the internet—sometimes by design, sometimes by accident—they become easy prey for automated exploitation tools.
The addition of CVE-2023-52163 to CISA's Known Exploited Vulnerabilities catalog sends a clear message: this threat is real, it's active, and it requires immediate attention. But for devices that will never be patched, CISA's guidance is unambiguous: "Discontinue use of the product."
For organizations that cannot immediately replace affected devices, aggressive network isolation and monitoring are essential. These DVRs should be treated as hostile devices that happen to be inside your network perimeter—because after exploitation, that's exactly what they become.
The Mirai botnet and its descendants have demonstrated time and again that insecure IoT devices pose a threat not just to their owners, but to the entire internet. Every compromised DVR is another soldier in an army that can be aimed at any target. The question isn't whether your DigiEver devices will be attacked—it's whether you'll address the vulnerability before or after they're conscripted into a botnet.