cbcvebase.
CVE-2023-52163
published 2025-02-03

CVE-2023-52163: Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported…

PriorityP193high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-01-12
Exploited in the wild
EPSS
96.28%
99.9th percentile
Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected

2 ranges
VendorProductVersion rangeFixed in
digieverds-2105_pro_+_firmware
digieverds-2105_pro_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/cgi_main.cgi
path/cgi-bin/time_tzsetup.cgi
commandcgiName=time_tzsetup.cgi&ntp=/etc/digigiver-release&action=4
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DigiEver DS-2105 Pro time_tzsetup.cgi ntp Parameter Command Injection Attempt (CVE-2023-52163)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/cgi-bin/cgi_main.cgi"; http.request_body; content:"cgiName|3d|time_tzsetup.cgi"; fast_pattern; content:"ntp|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2023-52163; reference:url,www.akamai.com/blog/security-research/digiever-fix-that-iot-thing; classtype:attempted-admin; sid:2062137; rev:1; metadata:affected_product DigiEver, attack_target IoT, tls_state plaintext, created_at 2025_05_06, cve CVE_2023_52163, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit is unauthenticated — no session/auth token required. Any POST to /cgi-bin/cgi_main.cgi with body containing 'cgiName=time_tzsetup.cgi' and a shell-metacharacter-injected 'ntp' parameter should be treated as an attack attempt.
  • Look for HTTP response header containing 'IE=EmulateIE10' as a fingerprint of the vulnerable Digiever device.
  • Detect shell injection characters in the 'ntp' POST body parameter: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) following the ntp= value.
  • The Nuclei template uses OOB/OAST (interactsh DNS callback) to confirm blind command injection — monitor for unexpected DNS lookups originating from IoT devices.
  • Snort/Suricata SID 2062137 (ET rule) covers this exploit with high confidence and low performance impact; deploy at both Perimeter and Internal chokepoints.
  • ·The Nuclei template is marked 'verified: false' — treat detections as unconfirmed until manually validated against a real target.
  • ·The vulnerability only affects end-of-life products with no vendor support; no patch is available from the maintainer.
  • ·The ET Snort rule matches plaintext HTTP only (tls_state plaintext); encrypted traffic to the device would not be detected by this rule.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.