Detect Digiever DS-2105 Pro Missing Authorization Exploitation (CVE-2023-52163) in Splunk
Detects exploitation of CVE-2023-52163, a missing authorization vulnerability (CWE-862) in Digiever DS-2105 Pro NVR devices. This KEV-listed vulnerability allows unauthenticated attackers to access restricted functionality or administrative interfaces without proper credential validation. Threat actors actively exploit exposed NVR devices for initial access, lateral movement, and persistence in OT/IoT environments.
MITRE ATT&CK
SPL Detection Query
index=network OR index=proxy OR index=firewall
| where _time > relative_time(now(), "-24h")
| search (dest_port IN (80, 443, 8080, 8443, 554, 37777))
AND (uri_path="*/cgi-bin/*" OR uri_path="*/admin/*" OR uri_path="*/system/*" OR uri_path="*/config/*" OR uri_path="*/api/*" OR uri_path="*/setup*")
| eval has_auth=if(isnull(http_header_authorization) OR http_header_authorization="", "no", "yes")
| where has_auth="no"
| eval is_digiever=if(
like(lower(vendor),"%digiever%") OR like(lower(product),"%ds-2105%") OR like(lower(http_user_agent),"%digiever%"),
1, 0)
| eval suspicious_target=if(
match(dest_ip, "^192\.168\.") OR match(dest_ip, "^10\.") OR match(dest_ip, "^172\.(1[6-9]|2[0-9]|3[01])\."),
"internal", "external")
| stats count AS request_count, dc(src_ip) AS unique_sources, values(uri_path) AS paths BY dest_ip, span(_time, 5m)
| where request_count > 5 OR unique_sources > 2
| eval severity=if(request_count > 20, "high", "medium")
| table _time, dest_ip, request_count, unique_sources, paths, severitySplunk query detecting unauthenticated access attempts to Digiever DS-2105 Pro administrative endpoints. Correlates request volume and source diversity to identify active exploitation versus isolated scanning.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized internal monitoring tools accessing device status pages without authentication tokens
- Vulnerability scanners conducting scheduled assessments of network-connected devices
- IoT management platforms using pre-configured API access that omits standard auth headers
Other platforms for CVE-2023-52163
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated Admin Endpoint Enumeration
Expected signal: HTTP GET requests to /cgi-bin/ and /admin/ paths from the test host IP to the NVR device on port 80, with no Authorization header present in the HTTP request headers
- Test 2RTSP Stream Access Without Authentication
Expected signal: Network connections to TCP/554 (RTSP) and TCP/80 from test host; HTTP requests to /cgi-bin/snapshot.cgi without authentication headers; potential RTSP DESCRIBE request in network capture
- Test 3Configuration Extraction via Unauthenticated API
Expected signal: Multiple HTTP GET requests to configuration and backup endpoints without Authorization headers; file download activity if 200 responses received; DNS lookups for NVR hostname from test system
Unlock Pro Content
Get the full detection package for CVE-2023-52163 including response playbook, investigation guide, and atomic red team tests.