Critical Flaws in Axis Video Surveillance Expose Corporate Networks to Takeover
Experts at Claroty have uncovered a series of critical vulnerabilities in Axis Communications’ video surveillance product line which, if successfully exploited, could grant an attacker complete control over the affected devices. At risk are the Axis Device Manager server — used for configuring and administering camera fleets — and the Axis Camera Station client software, designed for viewing video streams.
These flaws allow for unauthenticated remote code execution, creating a direct pathway into corporate networks. The issues stem from defects in the proprietary protocol used for communication between client and server, as well as in certain service components. Network scans revealed over 6,500 servers openly exposing the Axis.Remoting protocol, significantly broadening the attack surface for precision strikes leveraging these vulnerabilities.
The identified issues include four CVEs:
- CVE-2025-30023 (CVSS 9.0) — affects the client–server data exchange protocol and enables authenticated users to execute remote code. Patched in Camera Station Pro 6.9, Camera Station 5.58, and Device Manager 5.32.
- CVE-2025-30024 (CVSS 6.8) — also tied to this protocol, enabling man-in-the-middle attacks. Resolved in Device Manager 5.32.
- CVE-2025-30025 (CVSS 4.8) — relates to communication between the server process and its management service, potentially allowing privilege escalation on the local machine. Fixed in Camera Station Pro 6.8 and Device Manager 5.32.
- CVE-2025-30026 (CVSS 5.3) — allows authentication bypass on the Axis Camera Station server. Addressed in Camera Station Pro 6.9 and Camera Station 5.58.
Exploitation of these flaws could place an adversary in a man-in-the-middle position between server and clients, intercepting and modifying requests and responses, or executing arbitrary actions on both ends.
Once an attacker gains system-level access within the internal network, they could seize full control over the camera infrastructure — intercepting or replacing video feeds, disabling streams, bypassing authentication mechanisms, and running arbitrary code on devices. While no in-the-wild exploitation has been observed to date, the potential impact is considered extremely severe.
Axis Communications has issued patches, and users are strongly advised to update to the secured versions without delay to mitigate the risk of remote compromise and video system infiltration.