CVE-2023-52163

CVE-2023-52163 is a command injection vulnerability in the time_tzsetup.cgi component of Digiever DS-2105 Pro devices running firmware version 3.1.0.71-11. This issue, linked to CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It exclusively affects products that are no longer supported by the maintainer.

A low-privileged remote attacker with network access can exploit this vulnerability by sending crafted requests to the time_tzsetup.cgi endpoint, enabling arbitrary command execution on the device. Successful exploitation grants high-impact confidentiality, integrity, and availability consequences, potentially leading to full device compromise.

Advisories from sources like Akamai, TXOne Networks, CISA, and Fortinet highlight the need for mitigation in Digiever IoT devices, but no patches are available due to end-of-support status. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, underscoring active real-world exploitation risks for unpatched deployments.