CVE-2023-52163
published 2025-02-03CVE-2023-52163: Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported…
PriorityP193high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-01-12
Exploited in the wild
EPSS
96.28%
99.9th percentile
Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| digiever | ds-2105_pro_+_firmware | — | — |
| digiever | ds-2105_pro_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/cgi_main.cgi
path/cgi-bin/time_tzsetup.cgi
commandcgiName=time_tzsetup.cgi&ntp=/etc/digigiver-release&action=4
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt (CVE-2023-52163)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/cgi-bin/cgi_main.cgi"; http.request_body; content:"cgiName|3d|time_tzsetup.cgi"; fast_pattern; content:"ntp|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2023-52163; reference:url,www.akamai.com/blog/security-research/digiever-fix-that-iot-thing; classtype:attempted-admin; sid:2062137; rev:1; metadata:affected_product DigiEver, attack_target IoT, tls_state plaintext, created_at 2025_05_06, cve CVE_2023_52163, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit is unauthenticated — no session/auth token required. Any POST to /cgi-bin/cgi_main.cgi with body containing 'cgiName=time_tzsetup.cgi' and a shell-metacharacter-injected 'ntp' parameter should be treated as an attack attempt.
- →Look for HTTP response header containing 'IE=EmulateIE10' as a fingerprint of the vulnerable Digiever device.
- →Detect shell injection characters in the 'ntp' POST body parameter: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) following the ntp= value.
- →The Nuclei template uses OOB/OAST (interactsh DNS callback) to confirm blind command injection — monitor for unexpected DNS lookups originating from IoT devices.
- →Snort/Suricata SID 2062137 (ET rule) covers this exploit with high confidence and low performance impact; deploy at both Perimeter and Internal chokepoints.
- ·The Nuclei template is marked 'verified: false' — treat detections as unconfirmed until manually validated against a real target.
- ·The vulnerability only affects end-of-life products with no vendor support; no patch is available from the maintainer. ↗
- ·The ET Snort rule matches plaintext HTTP only (tls_state plaintext); encrypted traffic to the device would not be detected by this rule.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mrvx-3qrr-qqxw: Digiever DS-2105 Pro 3
ghsa_unreviewed·2025-02-03
CVE-2023-52163 [MEDIUM] CWE-862 GHSA-mrvx-3qrr-qqxw: Digiever DS-2105 Pro 3
Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
VulnCheck
Digiever DS-2105 Pro Missing Authorization Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-52163 [HIGH] CWE-862 Digiever DS-2105 Pro Missing Authorization Vulnerability
Digiever DS-2105 Pro Missing Authorization Vulnerability
Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi.
Affected: Digiever DS-2105 Pro
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security-research/digiever-fix-that-iot-thing; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-29&host_type=src&vulnerability=cve-2023-52163; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-30&host_type=src&vulnerability=cve-2023-52163; https://dashboard.shadowserve
CISA
Digiever DS-2105 Pro Missing Authorization Vulnerability
cisa·2025-12-22·CVSS 8.8
CVE-2023-52163 [HIGH] CWE-862 Digiever DS-2105 Pro Missing Authorization Vulnerability
Vulnerability: Digiever DS-2105 Pro Missing Authorization Vulnerability
Affected: Digiever DS-2105 Pro
Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.digiever.com/tw/support/faq-content.php?FAQ=217 ; https://nvd.nist.gov/vuln/detail/CVE-2023-52163
Remediation Due Date: 2026-01-12
Suricata
ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt (CVE-2023-52163)
suricata·2025-05-06·CVSS 8.8
CVE-2023-52163 [HIGH] ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt (CVE-2023-52163)
ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt (CVE-2023-52163)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt (CVE-2023-52163)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/cgi-bin/cgi_main.cgi"; http.request_body; content:"cgiName|3d|time_tzsetup.cgi"; fast_pattern; content:"ntp|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2023-52163; reference:url,www.akamai.com/blog/security-research/digiever-fix-that-iot-thing; classtype:attempted-admin; sid:2062137; rev:1; metadata:affected_product DigiEver, attack_target IoT, tls_sta
Nuclei
Digiever DS-2105 Pro - Command Injection
nuclei·CVSS 8.8
CVE-2023-52163 [HIGH] Digiever DS-2105 Pro - Command Injection
Digiever DS-2105 Pro - Command Injection
Digiever DS-2105 Pro 3.1.0.71-11 contains a command injection caused by unsanitized input in time_tzsetup.cgi, letting attackers execute arbitrary commands remotely, exploit requires no authentication.
Template:
id: CVE-2023-52163
info:
name: Digiever DS-2105 Pro - Command Injection
author: rajesh-social-tech
severity: high
description: |
Digiever DS-2105 Pro 3.1.0.71-11 contains a command injection caused by unsanitized input in time_tzsetup.cgi, letting attackers execute arbitrary commands remotely, exploit requires no authentication.
impact: |
Remote attackers can execute arbitrary commands on the device, potentially leading to full device compromise.
remediation: |
Update to a supported version or contact the vendor for security patches.
ref
Fortinet
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
blogs_fortinet·2025-11-26
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
FORTIGUARD LABS THREAT RESEARCH
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
Inside the Latest Mirai Variant Targeting IoT Devices Worldwide
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
Hosts
Files
By Vincent Li | November 26, 2025
Affected Platforms: DD-WRT 24 sp1, D-Link DNS-320 FW v2.06B01 Revision Ax, D-Link Go-RT-AC750 GORTAC750_revA_v101b03, D-Link GO-RT-AC750_revB_FWv200b02, Digiever DS-2105 Pro 3.1.0.71-11, TBK DVR-4104, TBK DVR-4216, D-Link DNS-320, D-Link DNS-320LW, D-Link DNS-325, D-Link DNS-340L, TP-Link Archer router series
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
At the end of October, during a global disr
Bleepingcomputer
New ShadowV2 botnet malware used AWS outage as a test opportunity
blogs_bleepingcomputer·2025-11-26·CVSS 8.3
[HIGH] New ShadowV2 botnet malware used AWS outage as a test opportunity
## New ShadowV2 botnet malware used AWS outage as a test opportunity
## Bill Toulas
A new Mirai-based botnet malware named ‘ShadowV2’ has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities.
Fortinet’s FortiGuard Labs researchers spotted the activity during the major AWS outage in October . Although the two incidents are not connected, the botnet was active only for the duration of the outage, which may indicate that it was a test run.
ShadowV2 spread by leveraging at least eight vulnerabilities in multiple IoT products:
DD-WRT (CVE-2009-2765)
D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915)
DigiEver (CVE-2023-52163)
TBK (CVE-2024-3721)
TP-Link (CVE-2024-53375)
Among these flaws, CVE-2024-10914
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bleepingcomputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks
blogs_bleepingcomputer·2025-10-09·CVSS 8.8
[HIGH] RondoDox botnet targets 56 n-day flaws in worldwide attacks
## RondoDox botnet targets 56 n-day flaws in worldwide attacks
## Bill Toulas
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox , the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
## Mass n-day exploitat
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
Greynoiseio
NoiseLetter January 2026
blogs_greynoiseio
NoiseLetter January 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://www.akamai.com/blog/security-research/digiever-fix-that-iot-thinghttps://www.txone.com/blog/digiever-fixes-sorely-needed/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-52163https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
2025-02-03
Published
2025-12-22
Added to CISA KEV
Exploited in the wild