Axis Camera Server Vulnerabilities Put Thousands of Organizations at Risk of Cyber Attacks
Critical security flaws in Axis Communications’ surveillance infrastructure have rendered over 6,500 organisations worldwide vulnerable to sophisticated cyberattacks, impacting government agencies, educational institutions, and Fortune 500 companies. The Swedish security camera manufacturer’s widely used video surveillance products contain four distinct vulnerabilities that could enable attackers to gain complete control over camera networks and monitoring systems. These vulnerabilities specifically target Axis Communications’ proprietary Axis.Remoting communication protocol, which facilitates communication between camera management servers and client applications. Utilised by both Axis Device Manager and Axis Camera Station software, this protocol allows for centralised control of camera fleets across multiple locations. The identified security flaws create an attack chain culminating in pre-authentication remote code execution, effectively bypassing all security measures designed to protect these critical surveillance systems. Researchers from Claroty uncovered these vulnerabilities through extensive analysis of the Axis.Remoting protocol, revealing that the system’s reliance on self-signed certificates and lack of proper message authentication creates multiple attack vectors.
The most severe vulnerability involves a critical authentication bypass mechanism within Axis.Remoting’s fallback HTTP protocol. While the primary TCP communication channel on port 55754 requires proper authentication, researchers discovered a hidden endpoint accessible via the /_/ path that allows anonymous access. This endpoint employs the same underlying Axis.Remoting protocol but circumvents the AuthenticationSchemes.Negotiate requirement. The authentication bypass enables attackers to exploit a dangerous deserialization vulnerability in the JSON processing component. The system’s use of TypeNameHandling.Auto settings permits attackers to specify arbitrary object types through the $type field in JSON requests. This configuration creates a pathway for attackers to instantiate malicious objects that execute code during the deserialization process. Internet scans conducted using services like Censys and Shodan revealed approximately 3,856 vulnerable servers located in the United States alone, with thousands more distributed globally. Each compromised server potentially manages hundreds or thousands of individual cameras, exponentially amplifying the attack surface and potential impact.
Categories: Cybersecurity Vulnerabilities, Remote Code Execution, Authentication Bypass
Tags: Security Flaws, Cyberattacks, Vulnerabilities, Axis.Remoting, Authentication Bypass, Remote Code Execution, Cleartext Communications, Man-in-the-Middle, Deserialization, Surveillance Systems