COMMENTARY: When the Cybersecurity and Infrastructure Security Agency (CISA) on Dec. 22 added
CVE-2023-52163 to its Known Exploited Vulnerabilities (
KEV) catalog, it brought up a problem that many organizations still ignore:
The most vulnerable systems in modern environments are often not the laptops and servers that dominate patch cycles, rather they are devices that are not even perceived as computers.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The vulnerability affects firmware in the Digiever DS-2105 network video recorder (NVR), a network reachable device that many teams would classify as infrastructure or an appliance rather than a host.
That’s precisely the issue: the flaw’s KEV status shows that attackers do not care how an organization labels a device.
If it runs an operating system, exposes services, and attackers can reach it over the network, it’s a viable target – and few are likely watching at that level – so often, an even better target!
Why vulnerabilities like CVE-2023-52163 matter
At a technical level, vulnerabilities like CVE-2023-52163 are not exotic. They fall into the same categories security teams deal with every day, such as flawed authentication, unsafe request handling, or memory management issues in network services.
What makes them dangerous is not novelty, but placement.
Devices like NVRs, cameras, building controllers, printers, and industrial systems often sit quietly on the network for several years. They usually run Linux sometimes embedded Windows, host web interfaces, stream data, and listen on multiple ports. From an attacker’s perspective, they are long-lived, rarely-monitored systems that frequently lag behind in patching. That’s an ideal combination for exploitation and persistence at the same time.
Remember that an NVR often gets seen as “just a camera box.” And HVAC controllers are viewed as building equipment. Because these systems are headless or rarely interacted with, security pros tend to assume to they are simple and low risk.
Under all that, they often run a full OS stack with third-party libraries, web servers, and authentication components. There’s no inherent security advantage in being bolted to a wall or rack. The attack surface gets defined by code and exposure, not by form factor.
This illusion leads directly to operational blind spots. Devices are deployed and forgotten. Logs are ignored or not collected. Firmware updates are skipped because downtime is inconvenient or because there’s unclear ownership between IT, security, and facilities.
Remote access turns weaknesses into entry points
It’s not uncommon that devices like these are directly reachable from the internet. Port forwarding gets enabled so users can view video feeds or manage systems remotely. Convenience always has a cost.
Once vulnerable services are exposed, exploitation becomes a matter of scanning and automation. Attackers do not need credentials if the vulnerability allows bypass or code execution. They do not need insider knowledge if the service fingerprint is common. KEV entries repeatedly show that exposed management interfaces are one of the fastest paths to compromise.
These devices carry the same maintenance burden as any other host. They require vulnerability tracking, patch evaluation, testing, and deployment. Treating them as exceptions does not reduce risk as much as it concentrates it.
The vendor ecosystem makes this worse. Many appliance vendors release updates slowly, publish minimal advisories, or abandon products while they remain deployed. When a vulnerability reaches the KEV under these conditions, remediation often requires compensating controls such as segmentation, access restriction, or outright replacement.
Teams need to think about these issues when planning and purchasing systems like this, as such decisions are far more often made based on features and ease of use. Remember if we cannot manage a system, then we are effectively trusting that the vendor’s latest firmware addresses everything, between now and the next update – and that’s impossible. The vendor generally patches on software upgrade, bug-fixes, and if someone associates some component with vulnerability publicly, security updates.
Operational takeaways
Security teams should treat CVE-2023-52163 as a representative case, even if they do not own the affected product. It’s not an anomaly, it’s just another reminder of how these systems have become weapons for threat actors.
Teams must make sure they inventory every network attached device for ownership by the organization. Minimize exposure, especially to the internet. Include devices in vulnerability management workflows, and network segmentation should assume compromise and limit lateral movement. Also: logging and traffic monitoring should extend to these systems, not stop at traditional systems.
There’s no meaningful difference between a server and a headless device when it comes to exploitation. The same vulnerabilities apply, the same attack techniques are used, and the same consequences follow.
Organizations that continue to treat these systems as a different class of assets will keep seeing them appear in the KEV, not as theoretical risks, but as confirmed footholds used by real attackers; possibly being one of the victims in that statistic themselves.
Gene Moody, Field CTO, Action1SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
