CVE-2022-28743 – This CVE describes a Time-of-check Time-of-use ... (How to Fix)

Q: What is the severity of CVE-2022-28743?

CVE-2022-28743 has a CVSS score of 9.1 (CRITICAL). This CVE describes a Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Foscam R2C IP cameras that allows authenticated attackers with administrator permissions to execute arbitrary code via malicious firmware patches. Attackers can gain root access to the camera's Linux system, enabling them to modify device behavior, install backdoors, or access live camera feeds. Only Foscam R2C IP cameras running vulnerable firmware versions are affected.

📋 TL;DR

This CVE describes a Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Foscam R2C IP cameras that allows authenticated attackers with administrator permissions to execute arbitrary code via malicious firmware patches. Attackers can gain root access to the camera's Linux system, enabling them to modify device behavior, install backdoors, or access live camera feeds. Only Foscam R2C IP cameras running vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Foscam R2C IP Camera

Versions: System FW <= 1.13.1.6 and Application FW <= 2.91.2.66

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator credentials to exploit. Cameras exposed to internet are at highest risk.

📦 What is this software?

R2c Application Firmware by Foscam

View all CVEs affecting R2c Application Firmware →

R2c System Firmware by Foscam

View all CVEs affecting R2c System Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the IP camera allowing attackers to modify firmware, install persistent backdoors, access live camera streams, pivot to internal networks, and maintain undetected access.

🟠

Likely Case

Attackers with administrator credentials gain root access to the camera, enabling them to view live feeds, modify camera settings, and potentially use the device as a foothold for further network attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the camera device itself without network propagation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires administrator access and ability to upload firmware. TOCTOU race conditions require precise timing but are well-understood attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: System FW > 1.13.1.6 and Application FW > 2.91.2.66

Vendor Advisory: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/keeping-a-critical-eye-on-iot-devices.html

Restart Required: Yes

Instructions:

1. Log into Foscam camera web interface. 2. Navigate to System > Upgrade. 3. Download latest firmware from Foscam website. 4. Upload and apply firmware update. 5. Camera will reboot automatically.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate IP cameras on separate VLAN with strict firewall rules

Access Control

all

Restrict administrative access to trusted IP addresses only

🧯 If You Can't Patch

Remove cameras from internet-facing networks immediately
Change all administrator passwords and implement strong authentication

🔍 How to Verify

Check if Vulnerable:

Check firmware version in camera web interface under System > Information

Check Version:

Not applicable - use web interface

Verify Fix Applied:

Verify firmware version shows System FW > 1.13.1.6 and Application FW > 2.91.2.66

📡 Detection & Monitoring

Log Indicators:

Unusual firmware upload attempts
Multiple failed authentication attempts followed by successful login
Unexpected system reboots

Network Indicators:

Unusual outbound connections from camera
Firmware download from non-Foscam sources
SSH/Telnet connections to camera

SIEM Query:

source="camera_logs" AND (event="firmware_upload" OR event="admin_login")

📊 Metadata

CVE ID: CVE-2022-28743

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-367

Published: April 21, 2022

Last Updated: November 21, 2024

🔗 References

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/keeping-a-critical-eye-on-iot-devices.html Third Party Advisory
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/keeping-a-critical-eye-on-iot-devices.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28743, you might also want to check these: