Security researchers from Claroty Team82 have disclosed four critical vulnerabilities in Axis Communications’ popular video surveillance products, potentially exposing thousands of organizations worldwide to sophisticated cyberattacks.
The Swedish company has issued urgent patches addressing what experts describe as a dangerous exploit chain targeting the proprietary Axis. Remoting communication protocol.
Critical Deserialization Flaw Enables Remote Code Execution
The most severe vulnerability, designated CVE-2025-30023, has been assigned a critical CVSS score of 9.0 and affects multiple Axis products, including Camera Station Pro versions before 6.9, Camera Station versions before 5.58, and Device Manager versions below 5.32.
The flaw stems from a deserialization vulnerability in the communication protocol between client and server systems, classified as CWE-502: Deserialization of Untrusted Data.
Team82 researcher Noam Moshe discovered that the Axis. The remoting protocol uses JSON serialization with TypeNameHandling.Auto settings are a dangerous configuration that allows attackers to specify arbitrary object types during deserialization.
This enables authenticated users to execute remote code on both server and client systems by crafting malicious JSON payloads containing $type fields that instruct the deserializer to create harmful objects.
The vulnerability affects the core infrastructure used by organizations to manage camera fleets. Axis Device Manager serves as a centralized platform for configuring multiple cameras across different locations, while Axis Camera Station functions as network video recorder software for viewing surveillance feeds.
Both systems run on Windows machines and utilize the .NET Framework architecture.
Authentication Bypass Amplifies Attack Surface
Beyond the deserialization flaw, Team82 uncovered an authentication bypass vulnerability (CVE-2025-30026) in the fallback HTTP protocol used when primary connections fail.
The researchers discovered a hidden endpoint beginning with “_/” that bypasses the standard Negotiate authentication scheme, allowing anonymous access to Axis—remoting services.
This authentication bypass transforms the deserialization vulnerability from an authenticated attack into a pre-authentication remote code execution scenario, significantly expanding the attack surface. Successful exploitation grants attackers NT AUTHORITY\SYSTEM privileges on Windows-based Axis servers.
Internet scans conducted using Censys and Shodan revealed over 6,500 servers exposing Axis. Remoting services online, with nearly 4,000 located in the United States.
Each server potentially manages hundreds or thousands of individual cameras across enterprise, government, educational, and healthcare facilities.
Patches Available, Immediate Updates Recommended
Axis Communications has released patches addressing all disclosed vulnerabilities. Organizations should immediately update to Axis Camera Station Pro 6.9, Camera Station 5.58, or Device Manager 5.32.
The company states that no public exploits exist currently, and they are unaware of active exploitation attempts.
The vulnerabilities highlight critical risks in network-connected surveillance infrastructure, where successful attacks could enable unauthorized access to camera feeds, system shutdown capabilities, or lateral movement within organizational networks.
.jpg?resize=1068,580&ssl=1&description=Axis Camera Security Flaws - Security researchers from Claroty Team82 have disclosed four critical vulnerabilities in Axis.){kind=link}