Researcher Demonstrates Critical Flaws in Axis IP Camera Systems

Noam Moshe, lead vulnerability researcher at Team82 (Claroty), presented a Black Hat talk on exploiting Axis Communications' IP camera surveillance systems via critical flaws in their Access Remoting protocol. The research targeted Axis OS-based cameras and centralized management software (Access Device Manager and Access Camera Station), which are widely deployed in enterprises, medical institutions, and government facilities. Moshe demonstrated a pre-authentication remote code execution (RCE) vulnerability in the protocol’s JSON deserialization mechanism, enabling attackers to compromise servers and pivot to connected cameras without prior credentials. The attack exploited a hidden, unauthenticated endpoint (//) in a fallback HTTP-based protocol, bypassing NTLM authentication checks, and leveraged man-in-the-middle techniques with YSO Serial to generate malicious .NET payloads. Over 6,500 exposed Axis servers were identified via Shodan, with ~4,000 located in the U.S., including targets in education, healthcare, and corporate sectors. Axis responded swiftly to the disclosure, releasing patches months prior to the talk, though the vulnerability stemmed from legitimate functionality in the server software rather than the cameras themselves. The research underscored risks of exposing encrypted-but-vulnerable services to the internet, even when vendors claim security.