Ethical Hacking News
Over 6,500 servers have been found to expose a critical vulnerability in Axis surveillance products. If left unpatched, this flaw could allow an attacker to take control of the cameras within a specific deployment, hijack feeds, watch them, or shut them down. Fortunately, Axis has released updates for their devices to fix these vulnerabilities.
Cybersecurity researchers have discovered critical vulnerabilities in video surveillance products from Axis Communications. The vulnerabilities exist in the proprietary Remoting Protocol used by these devices, allowing attackers to execute pre-authentication remote code execution. A total of 6,500 servers expose the proprietary Axis.Remoting protocol and its services over the internet, out of which nearly 4,000 are located in the U.S. The vulnerabilities include CVE-2025-30023 (CVSS score: 9.0), allowing attackers to execute an adversary-in-the-middle attack. Axis has fixed these vulnerabilities in their Camera Station Pro 6.9, Camera Station 5.58, and Device Manager 5.32 versions. Users of Axis surveillance products are highly recommended to upgrade their devices to the latest versions available to prevent potential exploitation by attackers.
Cybersecurity researchers have recently discovered a critical vulnerability in video surveillance products from Axis Communications that could expose them to takeover attacks. The identified flaws were published by Claroty researcher Noam Moshe, who revealed that multiple security vulnerabilities exist in the proprietary Remoting Protocol used by these devices.
According to Moshe, these vulnerabilities can be exploited to execute pre-authentication remote code execution on Axis Device Manager and the Axis Camera Station. This could allow an attacker to take control of the cameras within a specific deployment, hijack feeds, watch them, or shut them down. Moreover, successful exploits give attackers system-level access on the internal network.
These vulnerabilities include CVE-2025-30023 (CVSS score: 9.0), which is a flaw in the communication protocol used between client and server that could lead to an authenticated user performing a remote code execution attack; CVE-2025-30024, which is another communication protocol flaw that could be leveraged to execute an adversary-in-the-middle (AitM) attack; CVE-2025-30025, which is a flaw in the communication protocol used between the server process and the service control that could lead to local privilege escalation; and finally CVE-2025-30026, which is a flaw in the Axis Camera Station Server that could lead to authentication bypass.
Fortunately, Axis has fixed these vulnerabilities in their Camera Station Pro 6.9, Camera Station 5.58, and Device Manager 5.32 versions, thereby mitigating the risks of this vulnerability. However, Claroty stated that over 6,500 servers expose the proprietary Axis.Remoting protocol and its services over the internet, out of which nearly 4,000 are located in the U.S.
This vulnerability is extremely critical because it could allow an attacker to assume an AitM position between the Camera Station and its clients, effectively allowing them to alter requests/responses and execute arbitrary actions on either the server or client systems. Fortunately, there is no evidence that these issues have been exploited in the wild.
Therefore, users of Axis surveillance products are highly recommended to upgrade their devices to the latest versions available to prevent potential exploitation by attackers who could use these vulnerabilities to bypass authentication to the cameras and gain pre-authentication remote code execution on the devices.
Related Information:
https://www.ethicalhackingnews.com/articles/Axiom-6500-Axis-Servers-Expose-Remoting-Protocol---A-Critical-Vulnerability-That-Could-Expose-Cameras-to-Takeover-Attacks-ehn.shtml
https://thehackernews.com/2025/08/6500-axis-servers-expose-remoting.html
Published: Thu Aug 7 12:04:03 2025 by llama3.2 3B Q4_K_M
