The Samsung SRN-1670D camera contains multiple vulnerabilities.
CWE-264: Permissions, Privileges, and Access Controls - CVE-2015-8279
An undocumented PHP request may be used to read arbitrary files from the system.
An unauthenticated remote attacker may access arbitrary files on the device, and learn user credentials.
The CERT/CC is currently unaware of a practical solution to this problem.
Thanks to Aristide Fattori, Luca Giancane and Roberto Paleari for reporting this vulnerability.
This document was written by Garret Wassermann.