CVE-2023-52163 Google Chronicle · YARA-L

Detect Digiever DS-2105 Pro Missing Authorization Exploitation (CVE-2023-52163) in Google Chronicle

Detects exploitation of CVE-2023-52163, a missing authorization vulnerability (CWE-862) in Digiever DS-2105 Pro NVR devices. This KEV-listed vulnerability allows unauthenticated attackers to access restricted functionality or administrative interfaces without proper credential validation. Threat actors actively exploit exposed NVR devices for initial access, lateral movement, and persistence in OT/IoT environments.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule digiever_ds2105_missing_auth_cve_2023_52163 {
  meta:
    author = "df00tech"
    description = "Detects unauthenticated access to Digiever DS-2105 Pro administrative endpoints (CVE-2023-52163)"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2023-52163"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1190"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.method = "GET" or $e.network.http.method = "POST"
    $e.target.port in (80, 443, 8080, 8443, 554, 37777)
    re.regex($e.network.http.referral_url, `(?i).*(cgi-bin|/admin|/system|/config|/setup|/api).*`)
    not re.regex($e.network.http.request_headers, `(?i)authorization:\s*.+`)

  match:
    $e.target.ip over 5m

  outcome:
    $request_count = count_distinct($e.metadata.id)
    $source_ips = array_distinct($e.principal.ip)

  condition:
    #e > 5
}
high severity medium confidence

Chronicle YARA-L rule detecting repeated unauthenticated HTTP requests to Digiever NVR administrative endpoints within 5-minute windows, consistent with CVE-2023-52163 exploitation patterns.

Data Sources

Chronicle UDMNetwork telemetryHTTP proxy logs ingested to Chronicle

Required Tables

network_http

False Positives & Tuning

  • Internal monitoring services legitimately polling device health APIs without standard auth headers
  • Security scanners performing authorized network device assessments
  • OT/IoT management platforms using proprietary authentication schemes not captured in standard HTTP headers

Other platforms for CVE-2023-52163

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Admin Endpoint Enumeration

    Expected signal: HTTP GET requests to /cgi-bin/ and /admin/ paths from the test host IP to the NVR device on port 80, with no Authorization header present in the HTTP request headers

  2. Test 2RTSP Stream Access Without Authentication

    Expected signal: Network connections to TCP/554 (RTSP) and TCP/80 from test host; HTTP requests to /cgi-bin/snapshot.cgi without authentication headers; potential RTSP DESCRIBE request in network capture

  3. Test 3Configuration Extraction via Unauthenticated API

    Expected signal: Multiple HTTP GET requests to configuration and backup endpoints without Authorization headers; file download activity if 200 responses received; DNS lookups for NVR hostname from test system

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2023-52163 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections