CISA Flags Actively Exploited DigiEver Flaw Exposing Surveillance Systems to Remote Takeover
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting DigiEver network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
The vulnerability, CVE-2023-52163, impacts DigiEver DS-2105 Pro devices and allows attackers to execute unauthorized commands remotely — without authentication. CISA added the flaw to the KEV list on December 22, 2025, signaling a clear and present threat to organizations running these systems.
🔍 Vulnerability Breakdown
CVE-2023-52163 is a missing authorization flaw (CWE-862) within the
time_tzsetup.cgi interface of DigiEver DS-2105 Pro devices.
Due to improper access controls, attackers can issue commands without valid credentials, effectively bypassing security checks entirely.
This isn’t a sophisticated exploit — it’s a fundamental authorization failure.
Key Risk Factors:
🔓 No authentication required
🌐 Network-accessible attack vector
⚠️ Command execution capability
📹 Direct exposure of surveillance infrastructure
Once exploited, attackers could:
Disable or manipulate security footage
Interfere with physical security monitoring
Use the NVR as a foothold to pivot into internal networks
🧠 Why This Is a Serious Threat
Network-connected surveillance devices often operate outside traditional IT security oversight, making them attractive targets for threat actors seeking initial access.
When compromised, these systems can quietly undermine:
Physical security operations
Incident investigations
Compliance and audit trails
The command injection potential makes CVE-2023-52163 especially valuable for attackers looking to establish persistence or expand laterally across enterprise environments.
CISA’s decision to add this flaw to the KEV catalog confirms that exploitation is not theoretical — it is happening now.
⏱️ Mandatory Action Deadlines
Under Binding Operational Directive (BOD) 22-01, CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to remediate this vulnerability by January 12, 2026.
While this mandate applies directly to federal agencies, private-sector organizations should treat this timeline as a best-practice benchmark.
CISA advises organizations to:
Apply vendor-issued patches or mitigations immediately
Discontinue use of affected devices if updates are unavailable
🛡️ Recommended Defensive Actions
Organizations running DigiEver DS-2105 Pro systems should act now:
Patch immediately according to DigiEver’s security guidance
Isolate surveillance infrastructure using network segmentation
Monitor device logs for unauthorized commands or configuration changes
Audit access paths between OT/IoT systems and business networks
Treat NVRs and cameras as attack surfaces, not passive hardware
Surveillance systems should never have unrestricted access to internal networks.
🔐 The Elliptic Systems Perspective
This incident highlights a persistent and dangerous trend:
IoT and surveillance devices remain among the weakest links in enterprise security.
Missing authorization flaws are not edge cases — they are design failures, and when exploited, they blur the line between cyber risk and physical risk.
At Elliptic Systems, we help organizations:
Assess IoT and OT device exposure
Identify exploitable access-control weaknesses
Segment and harden surveillance infrastructure
Detect active exploitation before attackers move laterally
If your cameras are online, they are part of your threat model.
👉 Schedule an IoT & OT Security Assessment
⚠️ Final Takeaway
CISA’s inclusion of CVE-2023-52163 in the KEV catalog is a clear warning:
If you’re running vulnerable DigiEver NVRs and haven’t patched yet,
you should assume attackers are already scanning for you.
Surveillance devices protect what you see —
but if left unsecured, they expose far more than footage.
Elliptic Systems — Securing the Systems That Watch Over Everything Else.
