Turning Camera Surveillance on its Axis
Black Hat USA 2025 · Day 1 · Briefings
Claroty Team82 researcher Noam Moshe discovered a pre-authentication remote code execution vulnerability chain in Axis Communications' camera management software — Axis Camera Station and Axis Device Manager. Exploiting an unsafe .NET deserialization flaw via a hidden unauthenticated endpoint in a fallback protocol, an attacker with internet access could compromise any exposed Axis server and pivot to take full control of every camera it manages. Approximately 6,500 internet-facing Axis servers were identified on Shodan and Censys, with nearly 4,000 located in the United States. ---
AI review
Clean pre-auth RCE chain against 6,500 internet-exposed camera management servers — unauthenticated .NET deserialization via a hidden fallback endpoint, straight to code execution on every camera in the fleet. The vulnerability is textbook, but the discovery methodology and the pivot-to-all-cameras step are what make this worth your time.