Trend Micro researchers uncovered a serious security lapse involving hardcoded Azure Storage Account credentials embedded within multiple signed DLLs used in an official Axis Communications plugin for Autodesk® Revit®.
The exposure, reported under multiple Trend Zero Day Initiative™ advisories (ZDI-24-1181, ZDI-24-1328, ZDI-24-1329, and ZDI-25-858), revealed that Axis’s cloud accounts, responsible for distributing Revit plugin installers and product model files, were accessible with read and write privileges, potentially enabling full compromise of storage content.
Cloud Credential Exposure in Autodesk Revit Plugin
In July 2024, Trend Micro’s automated scanning rule for Azure Shared Access Signature (SAS) tokens flagged a suspicious signed DLL, AzureBlobRestAPI.dll, issued to AEC AB, an Autodesk partner.
The analysis revealed plaintext SAS tokens and access keys for Axis storage accounts named “axisfiles” and “axiscontentfiles” embedded in the class AzureBlobRestAPI.DataTypes.Classes.Global.
These credentials granted attackers complete control over stored content, including MSI installers for the “AXIS Plugin for Autodesk Revit” and Revit Family Architecture (RFA) model files, which customers use to import Axis device models into Revit environments.
This discovery raised significant supply chain risks. The plugin’s MSI installers were publicly retrievable, and authenticated access using the exposed keys enabled attackers to modify or upload malicious installers and RFA files.
Such tampering could initiate a widespread supply-chain compromise of Axis’s enterprise and public safety clientele using Revit-based design workflows.
From Inadequate Fixes to RCE Exploitation Potential
After Trend’s initial disclosure, Axis released version 25.3.710 to obfuscate the credentials within DLLs using tools such as Eazfuscator. However, researchers easily de-obfuscated these using de4dot, recovering valid access keys for additional accounts like “axisapphelpfiles.”
Later versions, including 25.3.711, replaced hardcoded keys with less-privileged SAS tokens, but remnants of previous insecure versions accessible in stored plugin installers effectively nullified the partial fix.
Complete remediation was achieved only in version 25.3.718 (March 2025), when Axis invalidated legacy credentials and revoked write access.
Simultaneously, Trend ZDI researchers discovered remote code execution flaws in Autodesk Revit’s RFA file parser that could allow attackers to trigger arbitrary code execution if malicious model files were loaded.
If an attacker had replaced legitimate RFA files in Axis’s storage using the leaked credentials, these flaws could have enabled a multi-stage supply chain attack replacing legitimate design assets with malicious payloads.
Axis Communications confirmed that all vulnerabilities have since been patched and that no unauthorized access occurred.
This incident underscores the cascading risks of hardcoded cloud credentials in signed software and the urgent need for proactive supply chain security, strict credential management, and continuous scanning of release artifacts to prevent exploitation of trusted distribution channels.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.png?resize=1068,580&ssl=1&description=Azure Storage Credential - Trend Micro researchers uncovered a serious security lapse involving hardcoded Azure Storage Account credentials.){kind=link}