Multiple vulnerabilities in Foscam X5 IP cameras allow remote attackers to execute arbitrary code without authentication. 

The flaws, disclosed on May 21, 2025, affect the UDTMediaServer component in Foscam X5 version 2.40 and prior firmware releases. 

Despite repeated attempts to contact the vendor, Foscam reportedly failed to address these critical security issues, exposing users to potential attacks.

Unpatched Buffer Overflow Vulnerabilities

The vulnerabilities were discovered by an independent security researcher working with SSD Secure Disclosure. 

According to the technical advisory, the Foscam X5 camera exposes a service called UDTMediaServer that contains multiple endpoints accessible without authentication. 

Three of these endpoints can be exploited to overflow internal buffers and execute arbitrary code with root privileges.

The first vulnerability affects the handler 0x72 in UDTMediaServer, which contains an unprotected buffer overflow vulnerability in its parsing functionality. 

The function FUN_000332c8, responsible for handling incoming data, performs insufficient bounds checking when processing user input:

This allows attackers to trigger a write-null-anywhere primitive to corrupt a return pointer on the stack and gain control of the program flow.

The second vulnerability, identified in handler 0x0C of UDTMediaServer, is similar to a previously disclosed vulnerability in Foscam R4M cameras, suggesting the vendor failed to patch the issue across all firmware versions. 

Additionally, researchers discovered that the RtspServer component, which runs on port 65534, is vulnerable to CVE-2018-4013 – a stack-based buffer overflow in the HTTP packet-parsing functionality of LIVE555 RTSP server library version 0.77.

The technical analysis revealed that all these vulnerabilities can be exploited without authentication. 

The researchers developed proof-of-concept exploits that utilize Return-Oriented Programming (ROP) techniques to call the popen() or execve() functions with commands that spawn a telnet daemon:

This results in opening a telnet service on port 4321 with root privileges, giving attackers complete control over the device.

Mitigation Measures

The security researchers reported that “repeated attempts to get a response from the vendor or for the vendor to address the issues raised have failed”. 

This lack of response raises serious concerns about Foscam’s commitment to security.

While other Foscam models have received security updates for previous vulnerabilities, such as the R4M model, which had similar issues patched in July 2024, no fix is currently available for the X5 model. 

Security experts believe other Foscam models with similar firmware, including X3, R3, R5, and X4, may also be vulnerable to these attacks.

Until patches are available, users are advised to isolate their Foscam cameras from the internet and place them behind firewalls that restrict access to ports 88, 888, and any ports above 30000, particularly 65534. 

Network segmentation and monitoring traffic to and from these devices are also recommended as temporary mitigation measures.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar