A few things:

Aside from the obvious flash_dumper.cgi functionality, you can also use next_file to request any binary such as the cgi files themselves. Who knows why this functionality was shipped with production cameras...

You can make some todo requests to file.cgi. The interesting one is /adm/file.cgi?todo=inject_telnetd. Unfortunately, I don't know the root password yet. It looks like it might be setup on boot from rc.sethost as a concatenation of three strings, but it's hard to tell without a proper disassembly.

If anyone knows the Linux root password for these devices, please let me know.