Samsung had patched the original vulnerabilities but left one set of scripts untouched: The php files which provide firmware updates via the camera's "iWatch" webcam monitoring service. Those scripts have a command injection bug allowing a user without admin privileges to allow root remote command execution. Exploiteers helpfully provided a technical writeup explaining how to do it, fix the vulnerability and even re-enable the web interface.

Update: Samsung shared the following statement in regards to the hack: