CVE-2023-52163

Digiever DS-2105 Pro Missing Authorization Exploitation (CVE-2023-52163)

Initial Access Privilege Escalation Defense Evasion Last updated:

Detects exploitation of CVE-2023-52163, a missing authorization vulnerability (CWE-862) in Digiever DS-2105 Pro NVR devices. This KEV-listed vulnerability allows unauthenticated attackers to access restricted functionality or administrative interfaces without proper credential validation. Threat actors actively exploit exposed NVR devices for initial access, lateral movement, and persistence in OT/IoT environments.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Digiever
Product
DS-2105 Pro

Weakness (CWE)

CWE-862

Timeline

Disclosed
December 22, 2025

CVSS

Unscored
Write-up coming soon

What is CVE-2023-52163 Digiever DS-2105 Pro Missing Authorization Exploitation (CVE-2023-52163)?

Digiever DS-2105 Pro Missing Authorization Exploitation (CVE-2023-52163) (CVE-2023-52163) maps to the Initial Access and Privilege Escalation and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Digiever DS-2105 Pro Missing Authorization Exploitation (CVE-2023-52163), covering the data sources and telemetry it touches: DeviceNetworkEvents, CommonSecurityLog, AzureFirewallApplicationRule, W3CIISLog. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort in (80, 443, 8080, 8443, 554, 37777)
| where RequestURL has_any ("/cgi-bin/", "/admin/", "/system/", "/config/", "/api/", "/setup")
| where isempty(RequestContext) or RequestContext !has "Authorization"
| extend DeviceVendor_norm = tolower(DeviceVendor)
| where DeviceVendor_norm has_any ("digiever", "nvr", "ds-2105")
    or UserAgent has_any ("digiever", "DS-2105")
    or RequestURL has_any ("digiever", "ds2105")
| summarize RequestCount = count(), UniqueIPs = dcount(SourceIP), URLs = make_set(RequestURL, 20) by DestinationIP, bin(TimeGenerated, 5m)
| where RequestCount > 5 or UniqueIPs > 2
| extend AlertSeverity = iff(RequestCount > 20, "High", "Medium")
| project TimeGenerated, DestinationIP, RequestCount, UniqueIPs, URLs, AlertSeverity

Detects unauthenticated HTTP requests to Digiever DS-2105 Pro administrative endpoints indicative of missing authorization exploitation. Looks for high-volume or multi-source access attempts to sensitive CGI/admin paths without Authorization headers.

high severity medium confidence

Data Sources

DeviceNetworkEvents CommonSecurityLog AzureFirewallApplicationRule W3CIISLog

Required Tables

DeviceNetworkEvents CommonSecurityLog

False Positives

  • Legitimate administrators accessing the NVR management interface from internal network segments
  • Network security scanners performing authorized vulnerability assessments
  • Monitoring systems polling device health endpoints without authentication headers

Sigma rule & cross-platform mapping

The detection logic for Digiever DS-2105 Pro Missing Authorization Exploitation (CVE-2023-52163) (CVE-2023-52163) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2023-52163 Sigma rules on detection.fyi

Platform-specific guides for CVE-2023-52163

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Admin Endpoint Enumeration

    Expected signal: HTTP GET requests to /cgi-bin/ and /admin/ paths from the test host IP to the NVR device on port 80, with no Authorization header present in the HTTP request headers

  2. Test 2RTSP Stream Access Without Authentication

    Expected signal: Network connections to TCP/554 (RTSP) and TCP/80 from test host; HTTP requests to /cgi-bin/snapshot.cgi without authentication headers; potential RTSP DESCRIBE request in network capture

  3. Test 3Configuration Extraction via Unauthenticated API

    Expected signal: Multiple HTTP GET requests to configuration and backup endpoints without Authorization headers; file download activity if 200 responses received; DNS lookups for NVR hostname from test system

Unlock Pro Content

Get the full detection package for CVE-2023-52163 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections