Axis camera flaws expose over 6,500 servers to security risk

Claroty's research team has identified four significant vulnerabilities in Axis Communications' video surveillance systems, posing security risks to thousands of organisations around the world.

Axis IP cameras are used across a range of sectors, including government agencies, educational institutions, and large private companies.

According to Claroty, more than 6,500 Axis servers - often responsible for managing extensive camera networks - are currently exposed to the internet and therefore at risk.

Vulnerability details

Claroty's researchers developed an exploit chain targeting both servers and clients in Axis deployments, providing attackers with potential system-level access to entire camera fleets.

Affected systems include Axis Device Manager (ADM), which is used to configure and manage numerous cameras, and Axis Camera Station (ACS), the software that centralises viewing of camera feeds. The vulnerabilities involve Axis' proprietary Axis.Remoting communication protocol.

The exploit chain could allow attackers to hijack, view, or disable live camera feeds. Notably, pre-authentication remote code execution is possible using these flaws, meaning that attackers might not need to interact with users to gain control of camera systems. "Team82 developed an exploit chain specifically targeting vulnerabilities in Axis Communications' proprietary Axis.Remoting communication protocol which results in pre-auth RCE on Axis Device Manager, a server used to configure and manage fleets of cameras, and the Axis Camera Station, client software used to view camera feeds," the research states.

"Attackers can leverage these exploit chains to access the centralised Axis Device Manager server used by organisations to manage their fleets of Axis devices, as well as the Axis Camera Station, software allowing end-users to access and consume camera feeds in a centralised location. Successful exploits give attackers system-level access on the internal network and the ability to control each of the cameras within a specific deployment. Feeds can be hijacked, watched, and/or shut down. Attackers can exploit these security issues to bypass authentication to the cameras and gain pre-authentication remote code execution on the devices."

Claroty privately disclosed the vulnerabilities to Axis, which has since released patches for the affected software versions: Axis Camera Station Pro 6.9, Axis Camera Station 5.58, and Axis Device Manager 5.32.

Exposure and potential impact

Analysis of internet-exposed services using scanning platforms such as Censys and Shodan revealed over 6,500 exposed Axis servers, the bulk of which are located in the United States.

Each exposed server may control hundreds or thousands of individual cameras.

The research notes, "Given current bans on Chinese technology in many corners of the world, an organisation's choice of vendors has become somewhat limited, putting more emphasis on the protection of platforms available for these deployments."

Key to the exploitation chain is the way in which Axis.Remoting protocols authenticate and handle communication between servers and clients. Claroty discovered that the use of self-signed certificates, combined with a lack of connection validation, permit potential man-in-the-middle attacks. Attackers could impersonate valid clients or servers and decrypt communications, due to the way NTLMSSP challenge and response is handled without message signing.

Describing this process, the research explains, "Since the Axis.Remoting protocol uses self-signed certificates - and does not actually validate each side of the connection - it is possible for attackers to MiTM and impersonate each side in a valid Axis.Remoting connection."

"This enables an attacker to decrypt Axis.Remoting requests/responses, and see the communication going on behind the scenes."

A further risk arises from improper handling of complex data types during deserialization, making it possible to execute arbitrary code on both servers and clients via remote procedure calls. This risk also extends to the fallback protocols used by Axis services, where Claroty found that anonymous authentication was possible on certain endpoints.

Secondary risks and attack scenarios

Once access is gained to Axis server systems, attackers could move laterally to compromise individual cameras by deploying malicious software packages using legitimate administrative functions.

The research states, "Because the main functionality of the server is to manage and control the cameras, this is actually quite easy and actually an intended use-case for the server."

Response and recommendations

Axis Communications has responded by releasing fixes and recommends all users update to the latest versions of ADM and ACS.

The company reported no knowledge of public exploits targeting these vulnerabilities at the time its advisory was published.

"Team82 wishes to acknowledge Axis Communications' quick response to our disclosure. They accepted our disclosure report and worked on the patches and updates in a timely fashion."

Security experts advise organisations to identify exposed Axis services, apply the relevant updates, and review their network exposure to minimise risk.

Given the scale of deployments and the potential for attackers to gain direct control over surveillance fleets without user interaction, maintaining updated systems remains a priority for organisations using Axis video surveillance products.