Axis Camera Server Vulnerabilities Exposes Thousands of Organizations to Attack

Critical security flaws in Axis Communications’ surveillance infrastructure have left over 6,500 organizations worldwide vulnerable to sophisticated cyberattacks, with potential impacts spanning government agencies, educational institutions, and Fortune 500 companies.

The Swedish security camera manufacturer’s popular video surveillance products contain four distinct vulnerabilities that could allow attackers to gain complete control over camera networks and monitoring systems.

The vulnerabilities target Axis Communications’ proprietary Axis.Remoting communication protocol, which facilitates communication between camera management servers and client applications.

This protocol, used by both Axis Device Manager and Axis Camera Station software, enables centralized control of camera fleets across multiple locations.

The security flaws create an attack chain that culminates in pre-authentication remote code execution, effectively bypassing all security measures designed to protect these critical surveillance systems.

Claroty researchers identified the vulnerabilities through extensive analysis of the Axis.Remoting protocol, discovering that the system’s reliance on self-signed certificates and lack of proper message authentication creates multiple attack vectors.

The research team developed a man-in-the-middle setup that revealed cleartext communications containing sensitive organizational information, including Windows domain credentials and system hostnames.

Internet scans conducted using services like Censys and Shodan revealed that approximately 3,856 vulnerable servers are located in the United States alone, with thousands more distributed globally.

Each compromised server potentially manages hundreds or thousands of individual cameras, exponentially amplifying the attack surface and potential impact.

Authentication Bypass and Remote Code Execution

The most severe vulnerability involves a critical authentication bypass mechanism within Axis.Remoting’s fallback HTTP protocol. While the primary TCP communication channel on port 55754 requires proper authentication, researchers discovered a hidden endpoint accessible via the /_/ path that allows anonymous access.

This endpoint utilizes the same underlying Axis.Remoting protocol but bypasses the AuthenticationSchemes.Negotiate requirement.

The authentication bypass enables attackers to exploit a dangerous deserialization vulnerability in the JSON processing component.

The system uses TypeNameHandling.Auto settings, allowing attackers to specify arbitrary object types through the $type field in JSON requests.

This configuration creates a pathway for attackers to instantiate malicious objects that execute code during the deserialization process.

Here below we have mentioned all the vulnerabilities:-

Successful exploitation grants attackers NT AUTHORITYSYSTEM privileges on Windows-based Axis servers, providing complete administrative control over the surveillance infrastructure.

From this privileged position, attackers can access live camera feeds, manipulate recordings, deploy malicious packages to individual cameras, and potentially use the compromised systems as pivot points for broader network infiltration.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial