This vulnerability was discovered by Claudio Bozzato of Cisco Talos.

Executive Summary
The Foscam C1 Indoor HD Camera is a network-based camera that is marketed for a variety of uses, including as a home security monitoring device. Talos recently identified 32 vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details of in two blog posts here and here. In continuing our security assessment of these devices, Talos has discovered an additional vulnerability. In accordance with our coordinated disclosure policy, Talos has worked with Foscam to ensure that this issue has been resolved and that a firmware update is made available for affected customers. This vulnerability could be leveraged by an attacker to gain the ability to completely take control of affected devices.

Vulnerability Details

Foscam IP Video Camera Firmware Recovery Unsigned Image Vulnerability (TALOS-2017-0378 / CVE-2017-2871)
Foscam C1 HD Indoor cameras provide multiple ways to recover from firmware corruption without requiring physical device access. One of the ways allows for the hosting of firmware images on a TFTP server. When the device reboots, it will look for a TFTP server present on the same subnet as the device. An attacker with access to the same subnet as the affected device could leverage this functionality to perform a firmware upgrade on the device without requiring authentication. This could be used to replace the device's firmware with a specially crafted image, and result in complete device compromise. TALOS-2017-0378 has been assigned CVE-2017-2871. For additional information, please see the advisory here.

Versions Tested
Talos has tested and confirmed that the following Foscam firmware versions are affected:

Foscam Indoor IP Camera C1 Series
System Firmware Version:
Application Firmware Version:
Plug-In Version:

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 43559