CyberWire Daily – Research Saturday
Episode: "A Look Behind the Lens"
Date: October 25, 2025
Host: Dave Bittner (N2K Networks)
Guest: Noam Moshe, Team Lead, Vulnerability Research, Claroty
Topic: Critical vulnerabilities discovered in Axis Communications’ surveillance camera management systems
Episode Overview
This Research Saturday episode dives deep into vulnerabilities found in Axis Communications’ enterprise surveillance camera systems. Host Dave Bittner interviews Noam Moshe, leader of Claroty’s vulnerability research team, about the recent research titled "Turning Camera Surveillance on its Axis." The episode explores how the team uncovered several severe flaws—vulnerabilities that, when chained together, could allow remote attackers to fully compromise centralized camera management servers and, by extension, entire fleets of surveillance cameras deployed in sensitive environments across the globe.
Key Discussion Points & Insights
1. Why Axis? The Context of the Research
- Motivation: Researchers began investigating Axis, a dominant non-Chinese surveillance camera vendor, due to the global banishments of Chinese surveillance products, which left organizations with fewer choices and created a "not saturated market" (03:10).
- Significance: With so few major vendors, a single vulnerability in these platforms could impact thousands of organizations (03:10).
2. Who is Axis Communications, and What Do They Offer?
- Company Profile: Axis is a Swedish company that manufactures enterprise-grade camera systems, not intended for home use. Their products are primarily used by medium and large organizations, including medical, educational, and government institutions (03:49).
- Deployment Scale: Systems can manage up to thousands of cameras centrally.
3. Managing Surveillance at Scale
- Key Components:
- Axis Device Manager and Axis Camera Station: Centralized servers that allow admins to configure, manage, and view camera feeds en masse (04:52).
- Importance: Centralization is critical for organizations with large camera fleets.
4. Discovery: Proprietary Axis Remoting Protocol & Critical Vulnerabilities
- Custom Protocol – “Axis Remoting”:
- Proprietary, closed-source protocol used between client and central server for configuring and monitoring cameras (05:59).
- Fully encrypted and authenticated—seemingly secure, but…
- Vulnerability Chain:
- Researchers identified a chain of vulnerabilities, including “pass the challenge” and deserialization flaws, that enabled pre-authentication remote code execution (RCE) on management servers.
- Impact: Attackers can take over the server, then move laterally to control all connected cameras and potentially infiltrate the wider network (07:17).
Notable Quote:
"We discovered few vulnerabilities that when chained together could allow an attacker to essentially gain pre auth remote code execution on these centralized servers... just the ability to connect to the server. It allows them to execute arbitrary code and fully control the server itself."
— Noam Moshe [07:17]
5. Technical Deep Dive: Attack Mechanisms
A) Pass the Challenge (NTLM-based Attack)
- Vulnerability: Axis uses NTLM challenge-response for authentication. An attacker in a man-in-the-middle (MitM) position can relay authentication requests and responses, bypassing legitimate checks and injecting malicious commands (08:30).
- Enables: RCE on both client and server in a MitM scenario.
Notable Quote:
"If you achieve man in the middle between Axis client and a server, you can allow the client to authenticate and pass the authentication requirement for the server, even though you are sitting in the middle... invoke different vulnerabilities in both that give you remote code execution on both sides."
— Noam Moshe [09:28]
B) Deserialization Vulnerability
- Explanation: A common development practice where objects/classes are serialized (turned into text) for transmission and deserialized upon receipt. If input isn’t validated, attackers can send malicious serialized objects (gadgets) that lead to code execution (13:02).
- Axis Exploitation: Both clients and servers could be forced to deserialize attacker-controlled objects, granting code execution rights.
Notable Quote:
"If a user is able to control what kind of classes will be created on the server endpoint, then they could use what's called gadgets, which are dangerous classes that could be used to gain full remote code execution. And this is exactly what happened in Axis remoting."
— Noam Moshe [14:06]
C) Anonymous Access via Fallback Protocol
- Bypassing Auth: Axis remoting protocol had a fallback HTTP service running on a separate port, still susceptible to the same deserialization vulnerabilities but lacking the original authentication controls (15:54).
- Full Exploit Chain: The team chained the fallback protocol with the deserialization flaw to achieve pre-auth RCE with no MitM or credentials needed (16:12).
Notable Quote:
"We found an additional vulnerability in that fallback protocol that allowed us to bypass the authentication requirement altogether...giving us full remote code execution that is fully pre auth, no requirements are needed whatsoever."
— Noam Moshe [16:42]
D) Lateral Movement to Entire Camera Fleet
- Abuse of SDK: Upon server compromise, attackers leveraged the official Axis SDK (meant for admins to customize cameras) to push malicious packages onto all connected cameras (17:57).
- Capabilities: Gain control over camera orientation, feeds (live or replayed), recording functionality, etc.—enabling espionage, tampering, or ransomware activities (18:58).
Notable Quote:
"We built our own malicious package that we infected all the cameras that are managed by the server, essentially giving us worm-like capabilities, allowing us to move laterally from the server to all the cameras it manages...full control."
— Noam Moshe [18:35]
6. Real-world Impact and Prevalence
- Scope: At least 6,500 management servers found Internet-exposed globally (almost 4,000 in the US alone), each potentially controlling thousands of cameras (20:43).
- High-Value Targets: Large companies, hospitals, schools, governments—the types of organizations that require robust security most.
Notable Quote:
"Behind every one of these servers, there could be a fleet of cameras that is up to like a few thousands or tens of thousands of cameras...you are able to gain initial foothold and full control over the video surveillance of all of these different organizations."
— Noam Moshe [21:24]
7. Responsible Disclosure and Vendor Response
- Axis’ Response: Axis handled the disclosure “super professional, super prompt to action,” and patched the vulnerabilities within weeks or a few months (22:03).
- Lessons Learned: Vendors’ responsible and timely collaboration is essential to protect users.
Notable Quote:
"...their main goal was to make sure that all of their clients and their users are protected and not exploited."
— Noam Moshe [22:29]
8. Security Recommendations & Words of Wisdom
- Encrypted ≠ Infallible: Just because a protocol is encrypted and authenticated doesn’t guarantee actual security; risks may lie deep within proprietary protocols (23:12).
- Best Practices:
- Know your attack surface and network exposures
- Apply strong network hygiene, patch vulnerabilities promptly
- Be cautious of what you expose to the internet—even if encrypted
Notable Quote:
"Having fully encrypted, fully authenticated protocol does not mean full security. At the end of the day, everything has vulnerabilities in it...Encryption, while it's good, it's important, does not mean security."
— Noam Moshe [23:12]
Memorable Moments & Quotes
-
"Originally, when I started the research, my main goal was to implement a James Bond or Mr. Robot style of attack where you are able to actually interfere with the camera feed..."
— Noam Moshe [19:29] -
"You can close the camera, you can rotate it, you can change the actual feed and replay an old video, whatever you want. So it gives you full control..."
— Noam Moshe [20:22]
Timestamps for Important Segments
- 02:26 – Why Axis cameras, market context
- 03:49 – Axis company background and deployment
- 04:52 – Camera management infrastructure
- 05:59 – Proprietary protocol and vulnerabilities discovered
- 08:30 – "Pass the Challenge" vulnerability explained
- 13:02 – Deserialization vulnerability technical deep dive
- 15:54 – Fallback protocol and anonymous access exploit
- 17:57 – Lateral movement and "James Bond attack"
- 20:43 – Global prevalence and numbers
- 22:03 – Responsible disclosure and Axis’ response
- 23:12 – Recommendations for security teams
Summary
This episode spotlights a vital research effort that exposes vulnerabilities in one of the world’s most widely deployed enterprise surveillance systems. Noam Moshe detailed how a combination of protocol flaws allowed attackers to bypass authentication, gain remote code execution, and ultimately control every camera connected to a compromised management server. The findings have sweeping implications for organizations relying on such infrastructure for critical security.
Key takeaway: Security is not simply about encryption and authentication—proprietary and “secure” systems may still have severe flaws lurking beneath the surface. Proactive assessment, prompt patching, and close vendor partnerships are crucial to defending sensitive environments.
![A look behind the lens. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Fa30c3544-b0f7-11f0-96d8-6f11ce495e1a%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)