Claroty’s Team82 analysis unit has unveiled 4 vulnerabilities affecting Axis Communications’ extensively deployed video surveillance ecosystem, doubtlessly endangering 1000’s of organizations worldwide.
These flaws, centered on the proprietary Axis.Remoting communication protocol, allow pre-authentication distant code execution (RCE) on key elements similar to Axis Gadget Supervisor (ADM) and Axis Digital camera Station.
Axis, a number one Swedish supplier of IP cameras and associated techniques, promptly acknowledged the problems and launched patches following Team82’s non-public disclosure.
Essential Flaws in Proprietary Axis.Remoting Protocol
The vulnerabilities, tracked underneath CVEs together with CVE-2025-30023 (CVSS v3.1 rating of 9.0, labeled as Essential as a result of CWE-502: Deserialization of Untrusted Information), exploit weaknesses within the protocol’s dealing with of mutual TLS (mTLS), NTLMSSP authentication, and JSON-based distant process calls (RPCs).
Affected variations embrace AXIS Digital camera Station Professional prior to six.9, AXIS Digital camera Station earlier than 5.58, and AXIS Gadget Supervisor sooner than 5.32, all of which facilitate administration and viewing of digital camera fleets in enterprise environments like authorities amenities, airports, and company campuses.
The Axis.Remoting protocol, designed for safe client-server interactions in .NET-based Home windows environments, wraps communications in TLS however fails to correctly validate self-signed certificates, permitting man-in-the-middle (MiTM) assaults.
Researchers demonstrated how attackers can intercept connections, decrypt visitors, and exploit NTLMSSP’s lack of message signing to carry out pass-the-hash authentication bypasses (CVE-2025-30024).
This permits impersonation of legit purchasers, forwarding challenges to authenticated customers and altering requests to invoke arbitrary RPC strategies.
Deeper evaluation revealed that the protocol depends on ServiceContract patterns for RPC, the place non-primitive arguments bear deserialization utilizing TypeNameHandling.Auto in JSON serializers.
This configuration permits attackers to inject malicious $sort fields, crafting payloads that set off RCE throughout object building, as validated utilizing instruments like ysoserial.internet to execute PowerShell scripts on servers with NT AUTHORITYSYSTEM privileges.
Compounding the danger, a fallback protocol over HTTP on TCP/55752 (CVE-2025-30026) implements a stateful binary channel with AES encryption and RSA key change however exposes an unauthenticated endpoint at /_/, bypassing the Negotiate authentication scheme (requiring Kerberos or NTLM).
This enables unauthenticated attackers to provoke Axis.Remoting classes and chain with the deserialization flaw for full pre-auth RCE, granting management over managed digital camera fleets.
Team82 additional illustrated lateral motion by leveraging Axis’s ACAP Native SDK to create malicious packages, installable by way of compromised servers, attaining code execution on particular person cameras and enabling feed hijacking or shutdowns.
Widespread Publicity
Web scans by way of instruments like Censys and Shodan recognized over 6,500 uncovered Axis.Remoting providers, with greater than half in the USA, every doubtlessly overseeing a whole lot of cameras in vital sectors.
The protocol’s NTLMSSP handshake leaks delicate particulars like hostnames and Lively Listing domains, facilitating focused reconnaissance for granular assaults.
Axis’s advisory confirms no recognized public exploits as of publication, emphasizing the absence of prior exploitation and crediting moral researchers.
In accordance with the report, Organizations are urged to improve instantly to patched variations AXIS Digital camera Station Professional 6.9, AXIS Digital camera Station 5.58, and AXIS Gadget Supervisor 5.32 out there by way of Axis’s help channels.
For these unable to replace promptly, mitigating steps embrace limiting community publicity of ports 55752-55754, enabling strict firewall guidelines, and monitoring for anomalous NTLM visitors.
This incident underscores the perils of proprietary protocols in IoT ecosystems, the place deserialization vulnerabilities and authentication weaknesses can cascade into broad community compromises, doubtlessly undermining bodily safety infrastructures reliant on Axis’s high-end options.
Axis has counseled Team82’s swift disclosure course of, highlighting collaborative efforts to boost product safety amid rising restrictions on different distributors.
The Final SOC-as-a-Service Pricing Information for 2025– Obtain for Free
