Claroty’s Team82 research unit has unveiled four vulnerabilities affecting Axis Communications’ widely deployed video surveillance ecosystem, potentially endangering thousands of organizations worldwide.
These flaws, centered on the proprietary Axis.Remoting communication protocol, enable pre-authentication remote code execution (RCE) on key components such as Axis Device Manager (ADM) and Axis Camera Station.
Axis, a leading Swedish provider of IP cameras and related systems, promptly acknowledged the issues and released patches following Team82’s private disclosure.
Critical Flaws in Proprietary Axis.Remoting Protocol
The vulnerabilities, tracked under CVEs including CVE-2025-30023 (CVSS v3.1 score of 9.0, classified as Critical due to CWE-502: Deserialization of Untrusted Data), exploit weaknesses in the protocol’s handling of mutual TLS (mTLS), NTLMSSP authentication, and JSON-based remote procedure calls (RPCs).
Affected versions include AXIS Camera Station Pro prior to 6.9, AXIS Camera Station before 5.58, and AXIS Device Manager earlier than 5.32, all of which facilitate management and viewing of camera fleets in enterprise environments like government facilities, airports, and corporate campuses.
The Axis.Remoting protocol, designed for secure client-server interactions in .NET-based Windows environments, wraps communications in TLS but fails to properly validate self-signed certificates, allowing man-in-the-middle (MiTM) attacks.
Researchers demonstrated how attackers can intercept connections, decrypt traffic, and exploit NTLMSSP’s lack of message signing to perform pass-the-hash authentication bypasses (CVE-2025-30024).
This enables impersonation of legitimate clients, forwarding challenges to authenticated users and altering requests to invoke arbitrary RPC methods.
Deeper analysis revealed that the protocol relies on ServiceContract patterns for RPC, where non-primitive arguments undergo deserialization using TypeNameHandling.Auto in JSON serializers.
This configuration permits attackers to inject malicious $type fields, crafting payloads that trigger RCE during object construction, as validated using tools like ysoserial.net to execute PowerShell scripts on servers with NT AUTHORITYSYSTEM privileges.
Compounding the risk, a fallback protocol over HTTP on TCP/55752 (CVE-2025-30026) implements a stateful binary channel with AES encryption and RSA key exchange but exposes an unauthenticated endpoint at /_/, bypassing the Negotiate authentication scheme (requiring Kerberos or NTLM).
This allows unauthenticated attackers to initiate Axis.Remoting sessions and chain with the deserialization flaw for full pre-auth RCE, granting control over managed camera fleets.
Team82 further illustrated lateral movement by leveraging Axis’s ACAP Native SDK to create malicious packages, installable via compromised servers, achieving code execution on individual cameras and enabling feed hijacking or shutdowns.
Widespread Exposure
Internet scans via tools like Censys and Shodan identified over 6,500 exposed Axis.Remoting services, with more than half in the United States, each potentially overseeing hundreds of cameras in critical sectors.
The protocol’s NTLMSSP handshake leaks sensitive details like hostnames and Active Directory domains, facilitating targeted reconnaissance for granular attacks.
Axis’s advisory confirms no known public exploits as of publication, emphasizing the absence of prior exploitation and crediting ethical researchers.
According to the report, Organizations are urged to upgrade immediately to patched versions AXIS Camera Station Pro 6.9, AXIS Camera Station 5.58, and AXIS Device Manager 5.32 available through Axis’s support channels.
For those unable to update promptly, mitigating steps include restricting network exposure of ports 55752-55754, enabling strict firewall rules, and monitoring for anomalous NTLM traffic.
This incident underscores the perils of proprietary protocols in IoT ecosystems, where deserialization vulnerabilities and authentication weaknesses can cascade into broad network compromises, potentially undermining physical security infrastructures reliant on Axis’s high-end solutions.
Axis has commended Team82’s swift disclosure process, highlighting collaborative efforts to enhance product security amid growing restrictions on alternative vendors.
The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free
Source link
