Noam Moshe

You're listening to the Cyberwire Network powered by N2K.

CompTIA/N2K Representative

Are you ready for AI in cybersecurity? Demand for these skills is growing exponentially for cybersecurity professionals. It's why CompTIA, the largest vendor neutral certification authority, is developing SEC AI Plus. It's their first ever AI certification focused on artificial intelligence and cybersecurity and is designed to help mid career cybersecurity professionals demonstrate their competencies with AI tools. And that's why N2K's SEC AI practice exam is coming out this year to help you prepare for the certification release in 2026. To find out more about this new credential and how N2K can help you prepare today, check out our blog@certify.cybervista.net and thanks.

Dave Bittner

@ Thales they know cybersecurity can be tough and you can't protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S learn more@talasgroup.com cyber hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Noam Moshe

Initially we looked at Axis, one of the major and leading brands in the world of camera surveillance. And the reason why we started looking for vulnerabilities in the Axis product line was because we noticed a very common trend of banning Chinese manufactured and made product lines and essentially leaving organizations with.

Dave Bittner

Less options to That's Noam Moshe, Clarity's vulnerability research team lead. The research we're discussing today is titled Turning Camera Surveillance on its Axis.

Noam Moshe

And this very like not saturated market of video surveillance in after the world of banning, most if not all Chinese vendors basically left two, three, maybe four big players in the field. And because of that, finding one critical vulnerability or vulnerability chain in one of these major vendors could lead to devastating effects affecting thousands of different companies.

Dave Bittner

Well, for folks who might not be familiar with Axis Communications and their camera systems, where are they from? Where are these products made?

Noam Moshe

So Axis is a Swedish company at its core I believe, and we mainly see it in US market now it's Important to say that Axis is not home user camera, meaning it's not a camera I'll set up in my home office or at my perimeter. Instead it is more enterprise grade, enterprise ready, essentially allowing organizations and big organizations to have up to like a few thousands of cameras as part of their camera fleet. So you'll see them in big companies like medium to big companies, medical and educational institutions, governments, all sorts of locations.

Dave Bittner

I see. Well help paint a picture for us here. My understanding is there is an Axis Device Manager and a camera station that play a critical role in managing this surveillance infrastructure. Is my understanding correct here? And why do those components matter?

Noam Moshe

So essentially when you have more than one camera, you need to have one centralized way to control, manage and consume the actual video feed of your cameras. And because we are talking about organizations that could have like fleets of thousands and tens of thousands of devices, they cannot control, manage and consume the feed from each camera directly. And instead Axis implemented like a centralized solution that allows them and allow users to control and manage and actually see the video feed of your entire camera fleet in one centralized location. And this is exactly what Axis Device Manager and Axis Camera Stations are. These are centralized servers that you install and basically through them you are able to modify, backup, restore, control, configuration and actually view the camera feed of all of your cameras in one location.

Dave Bittner

Well, describe for us what happened when you all went looking at their protocols here. What did you discover?

Noam Moshe

So in our research, we wanted to see what kind of communications and what kinds of protocols will see in the Axis ecosystem. And soon enough we discovered that Axis implemented their own custom proprietary protocol that we call Access Remoting that allows a client and a server to connect and communicate with one another. Essentially it's a closed source protocol, meaning there's no documentation, no open source tools, no nothing about how this actually protocol actually looks under the hood. It allows a client application to connect to these centralized servers and use the functionalities they expose. So for example, if we're talking about Access Device Manager, it allows that sys administrators to control, configure, see the status of all of the cameras. Now while this protocol is fully encrypted, fully authenticated, essentially giving users the impression that is fully secure and fully okay to expose it to the Internet. We discovered few vulnerabilities that when chained together could allow an attacker to essentially gain pre auth remote code execution on these centralized servers. Now this essentially allows the attacker without any prior knowledge, without credentials, without anything, just the ability to connect to the server. It allows them to execute arbitrary code and fully control the server itself and thus gaining two things. First, they gain pivot point and leverage into someone's network, an organization's network that actually deploys the access cameras. And not only do they control the server, they also control the cameras themselves. Because at the end of the day, the use case, the business logic of this server is to control the cameras and manage them. And because of that, once this server is compromised, you are able to move laterally and fully control all the different cameras and all the different fleets that this server manages, giving you access to both the networks and the cameras themselves, meaning the camera feeds and anything they are accessible to.

Dave Bittner

Now, you all uncovered a past the challenge vulnerability. Can you explain to us what exactly that means?

Noam Moshe

Yes. So essentially we discovered four or five vulnerabilities. One of them was a past the challenge vulnerability. And essentially what this vulnerability means is that it allows a user with a man in the middle setup, essentially an attacker that is sitting inside in the middle of a client and a server's connection, to intervene and basically take control over the connection. By using this man in the middle server, you expose your own server and essentially pass the requests from the client to the server and the responses from the server to the client. Now one of the first things that happen in this proprietary protocol is that the client must authenticate and to authenticate users and make sure they are valid users. Axis chose to use NTLM SSP or or NTLM challenge response. Essentially it's a very common protocol in Windows based networks and it allows a server to identify users as legitimate. Drawback of it is that it is susceptible to pass the challenge pass the request attacks. So this means that if you achieve men in the middle between access client and a server, you can allow the client to authenticate and pass the authentication requirement for the salevale even though you are sitting in the middle and you are able to fully inject and change and alter any response and requests whatsoever. So that way after the client authenticates, you are able to inject your own messages and responses from the client and the server and invoke different vulnerabilities in both that give you remote code execution on both sides, essentially allowing you to execute code on the client and on the server just by having this man in the middle position and passing the challenge that the server sends to the client and the response essentially the authentication response sent by the client.

Dave Bittner

We'll be right back. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program, study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI what's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber now another one of the issues that you highlight in the research is a deserialization issue. Can you unpack that for us?

Noam Moshe

Of course. So this is the core vulnerability and this is the core findings that allows attackers to execute arbitrary code on the client, the server, and because they control the server also on the cameras. Now deserialization is a concept, it's a development concept where essentially you need to take a class. First of all, deserialization is the opposite of serialization and both of them are the process of taking a class that is represented in memory. Essentially you have your backend and you have this class and you want to send it over the wire. For example. To do that you need to take the class and transform it into a way to actually send it over the wire. Because you can't send memory address, you need to have a representation. For example, you'll take the class and represent it via textual text and that way you are able to send this text that actually represents the class over the wire. Now the process of deserialization is exactly the opposite. You take something and you construct an in memory class inside your memory space of that class. So essentially you take a string from the network and you construct a class from it. Now in net, this is very dangerous if the user is allowed to control what type of class is created. Because serialization and deserialization are almost arbitrary approach that allows like the creation of multiple classes. So if in a case a user is able to control what kind of classes will be created on the server endpoint, then they could use what's called gadgets, which are dangerous classes that could be used to gain full remote code execution. And this is exactly what happened in axis remoting. Essentially this protocol relies on RPC and in it the client and the server send to one another serialized classes over the wire to allow them to invoke different functionalities in the other side. And because we discovered that any side of this talk is able to fully control what types of of classes will be created on the other side, you are able to inject malicious classes that will lead to code execution. So essentially if you exploit the man in the middle, for example, you are able to inject malicious classes to both endpoints and cause code execution on both the client and the server.

Dave Bittner

Now in addition to that, you all discovered there was a fallback HTTP protocol that had anonymous access. And am I getting that right?

Noam Moshe

Yeah, exactly. So while we did gain full remote code execution, we at that point at least still required man in the middle position, essentially making the vulnerability not fully exploitable in real life scenario. Because we want full pre auth remote code execution without needing to be able to man in the middle connection from a legitimate client, which is of course less realistic when trying to attack Internet exposed services. And because of that we wanted to be able to bypass the authentication requirement altogether. And to do that we used exactly like you've said, a fallback mechanism in the access remoting protocol that allowed a client that is not accessible to the main server of the management server, the main like port of the management server to communicate with it on a different port. And in that different port there was a different protocol that still had the same vulnerabilities of the access remoting protocol, the same deserialization vulnerability. However, the only difference is that we found an additional vulnerability in that fallback protocol that allowed us to bypass the authentication requirement altogether, Essentially allowing us to chain these two vulnerabilities together. We use the fallback protocol to bypass the authentication and begin speaking in access remoting. And once we do that, we are able to send serialized classes that are malicious and exploit the deserialization vulnerability in the axis remoting, giving us full remote code execution that is fully pre auth, no requirements are needed whatsoever, no prior knowledge, no nothing.

Dave Bittner

Wow. Now help me understand Here, once you all got remote code execution on the server, you used the access SDK to move laterally and ultimately get to the cameras.

Noam Moshe

Exactly. At the end of the day, the servl's main purpose is to control the cameras. Through the server, sysadmins are able to connect, control, modify their cameras. And because we managed to fully exploit the server, we wanted to move laterally to the cameras. So we used legitimate functions, legitimate functionality of Axis to be able to implement your own packages. Essentially, Axis offers users and sysadmins to be able to modify their camera's behavior by adding a package to the camera. And through this package you are able to modify its behavior, change how it reacts, what it does, anything that you want. And to do that, Axis offers their own packages and they actually allow users to build their own packages through an open source SDK. So once we were able to exploit our vulnerability chain to gain control over the access management servers, we built our own malicious package that we infected all the cameras that are managed by the server, essentially giving us warm like capabilities, allowing us to move laterally from the server to all the cameras it manages. And once we did that, we gained two things. First, we gain network accessibility. At the end of the day, this gives us full control over all the devices and all the IP cameras that this server manages. We are sitting in many different Networks, many different LANs and many different physical locations. So we are able to move laterally, we are able to attack, do ransomware, anything that we want. However, in addition to that, because at the end of the day, this is an IP camera, we are able to even control, consume and abuse and confuse this the camera feed. Originally, when I started the research, my main goal was to implement a James Bond or Mr. Robot style of attack where you are able to actually interfere with the camera feed. So once you control the camera, you're able to a access the feed, giving you full espionage capabilities, and B, you are able to control it. You can close the camera, you can rotate it, you can change the actual feed and replay an old video, whatever you want. So it gives you full control over the cameras.

Dave Bittner

Well, how widespread do you think these vulnerabilities are? I mean, did you get a sense for how many organizations might be affected by this?

Noam Moshe

So once again, the main issue is that not actually an issue, but the main thing is that Axis is one of the leading brands and leading manufacturers of IP cameras. And because of that they are seen in many, many different organization, going all the way from big companies, medical, health and even government agencies. Now Currently we are observing around 6,500 different servers that are sitting worldwide, with almost 4,000 specifically in the U.S. however, it's important to remember that these servers are not standalone servers. They are actually managing different cameras that could be numbered in the thousands as well. So essentially behind every one of these levels, there could be a fleet of cameras that is up to like a few thousands or tens of thousands of cameras. And by exploiting these vulnerabilities and these open services online, you are able to gain initial foothold and full control over the video surveillance of all of these different organizations.

Dave Bittner

Now, I know you and your colleagues responsibly disclose this to Axis. What was their response?

Noam Moshe

So we worked with Axis in collaboration and we responsibly disclosed this vulnerability to them. Meaning once we discovered the vulnerabilities, we immediately contacted them, gave them the full technical report, and work with them to make sure that their client are protected. And I can tell you that after doing probably over 100 different disclosures over the last four years, Axies were one of the better ones. They were super professional, super prompt to action, and their main goal was to make sure that all of their clients and their users are protected and not exploited. And we work with them, and our goal, and we had a shared goal, was to make sure that these vulnerabilities are patched as soon as possible. And once we reported these vulnerabilities to them, it took between a few weeks, month or two to all the vulnerabilities is to be fixed, depending on the technical difficulties of implementing a patch.

Dave Bittner

So based on your research here, what are your recommendations for organizations who may have these kinds of cameras or perhaps another brand as well? And any words of wisdom here?

Noam Moshe

So the first thing I Believe SysAdmins and IT admins and users in general should take is that having fully encrypted, fully authenticated protocol does not mean full security. At the end of the day, everything has vulnerabilities in it. The only question is how exposed it is and how much effort and threat actor puts into breaking them and finding vulnerabilities. And just because a service is fully encrypted does not mean that you immediately can expose it to the Internet and say, yeah, I mean, no one can see what's going on here. It's encrypted and they need proper credentials so they can connect to it. Just by having encrypted service does not mean it is more secure because you are not aware of what's going on under the hood and what kind of vulnerabilities could lie down deep under the protocol. So encryption, while it's good, it's important does not mean security. A service can be encrypted with the most up to date standard but still have vulnerabilities in it. So know what you exposed have good network hygiene, meaning know what you have in your networks, what kind of services, what kind of attack surface you expose online, and what are the risks and how you take them into account and manage them responsibly.

Dave Bittner

Our thanks to Noam Moshe from Clarity for joining us. The research is titled Turning Camera Surveillance on Its Axis. We'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

Noam Moshe

Here we have the Limu Emu in.

Dave Bittner

Its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating.

Noam Moshe

It's accompanied by his natural ally, Doug Limu is that guy with the binoculars watching us. Cut the camera. They see us.

Dave Bittner

Only pay for what you need@libertymutual.com Liberty Liberty Liberty Liberty Savings Fairy underwritten by Liberty Mutual Insurance Company and affiliates, excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at cid datatribe.com.