cbcvebase.
CVE-2014-1849
published 2014-05-14

CVE-2014-1849: Foscam IP camera 11.37.2.49 and other versions, when using the Foscam DynDNS option, generates credentials based on predictable camera subdomain names, which…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
12.09%
95.6th percentile
Foscam IP camera 11.37.2.49 and other versions, when using the Foscam DynDNS option, generates credentials based on predictable camera subdomain names, which allows remote attackers to spoof or hijack arbitrary cameras and conduct other attacks by modifying arbitrary camera records in the Foscam DNS server.

Affected

1 ranges
VendorProductVersion rangeFixed in
foscamip_camera_firmware

Detection & IOCsextracted from sources · hover to see the quote

port8080
version11.37.2.49
bytes
01 50 49 44 3d 31 34 01 55 4e 61 6d 65 3d 63 68 31 32 36 36 01 50 57 44 3d 63 68 31 32 36 36 01 4f 45 4d 3d 72 65 65 63 61 6d 01 44 6f 6d 61 69 6e 43 6f 75 6e 74 3d 31 01 44 6f 6d 61 69 6e 30 3d 63 68 31 32 36 36 2e 6d 79 66 6f 73 63 61 6d 2e 6f 72 67 01 00
bytes
01 50 49 44 3d 31 30 01 55 4e 61 6d 65 3d 63 68 31 32 36 36 01 50 57 44 3d 63 68 31 32 36 36 01 4f 45 4d 3d 72 65 65 63 61 6d 01 4f 53 3d 4c 69 6e 75 78 01 42 75 69 6c 64 4e 4f 3d 31 33 38 30 01 44 6f 6d 61 69 6e 30 3d 63 68 31 32 36 36 2e 6d 79 66 6f 73 63 61 6d 2e 6f 72 67 01 00
  • Monitor for UDP traffic to port 8080 destined for myfoscam.org DDNS servers containing the OEM field value 'reecam' (0x72 0x65 0x65 0x63 0x61 0x6d) — this is the protocol marker used by the exploit to register/hijack camera DNS entries.
  • Detect the exploit's initial registration payload by matching the 0x01-delimited protocol structure with fields PID=14, UName, PWD, OEM=reecam, DomainCount=1, and a Domain0 ending in .myfoscam.org over UDP.
  • Detect the redirect/hijack payload (PID=10, BuildNO=1380, OS=Linux) sent over UDP to the forwarded DDNS server IP and port extracted from the initial response — this second-stage packet completes the DNS record takeover.
  • Camera subdomains follow a predictable pattern (e.g., ch<digits>.myfoscam.org); alert on DNS queries or registrations for subdomains matching this pattern originating from unexpected sources.
  • ·The attack is two-stage over UDP: first a registration request to the DDNS server on port 8080, then a redirect/update request sent to a forwarded server IP:port extracted from the first response — both stages must be blocked to prevent DNS record hijacking.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.