Endpoint Security,
Governance & Risk Management,
Internet of Things Security
Four Vulnerabilities Expose Over 6,500 Camera Servers to Pre-Authentication Attacks
Recent research has identified four critical vulnerabilities in the video management and camera software from Axis Communications, rendering thousands of internet-connected surveillance systems susceptible to remote attacks that circumvent authentication protocols.
According to findings from Claroty’s research team, the flaws present a serious risk, allowing attackers to potentially hijack entire security networks, disrupt camera systems, or access live video feeds. The vulnerabilities affect key applications used for managing IP-based security camera infrastructures, namely Axis Device Manager and Axis Camera Station. By exploiting weaknesses within the proprietary Axis Remoting protocol, adversaries can gain unauthorized, root-level remote code execution, effectively compromising the entire surveillance network.
Claroty’s Team82 uncovered more than 6,500 Axis Camera Station servers exposed globally, with the highest concentrations in the United States, Germany, Japan, and the United Kingdom. This widespread exposure amplifies the risk of attacks from financially motivated criminals and advanced persistent threats (APTs) aiming to manipulate physical surveillance capabilities.
As noted in the report, each compromised server can manage hundreds or thousands of cameras. Given the current climate of restrictions on Chinese technology, the selection of vendors is increasingly limited, emphasizing the importance of securing the available platforms.
The most serious flaw, identified as CVE-2024-3159, enables memory corruption within the Axis.Remoting service. This could allow an attacker to hijack application flow and execute arbitrary code, posing a critical threat with a CVSS score of 9.8. Additionally, CVE-2024-3160 permits unauthenticated access by bypassing internal method authentication, stemming from inadequate validation of function calls over the default TCP port.
Another vulnerability, CVE-2024-3161, facilitates path traversal and arbitrary file writing, enabling persistent exploitation and system breaches. This flaw allows attackers to overwrite critical system files, including configuration scripts. A denial-of-service vulnerability also exists due to improper input handling in the Axis.Remoting message parser, which, while not leading to code execution, can disrupt surveillance operations by crashing services.
Axis Communications has addressed all four vulnerabilities in recent software versions, advising users to upgrade promptly and limit external access to the Axis.Remoting TCP port when feasible. The technical analysis indicates that a fully functional remote code execution payload could be developed that avoids detection by exploiting the native Axis.Remoting serialization logic, using MessagePack serialization to forge complex objects and circumvent standard access controls.
These vulnerabilities not only pose a cybersecurity risk but also a potential threat to physical safety, especially as many surveillance systems are deployed in vital infrastructure such as airports and government facilities. A successful attacker could manipulate or disable camera feeds, erase critical recordings, or pivot to other systems within the internal network.
While exploitation has not yet been detected in the wild, the severity of these flaws, along with their broad exposure, makes them potential targets for reconnaissance and lateral movement, underscoring the need for proactive measures. Security teams are encouraged to audit all installations of Axis software for affected versions, apply necessary patches without delay, and monitor traffic on TCP port 55752. Segmenting surveillance networks from general enterprise infrastructure is also recommended to minimize the attack surface.
