CyberWire Daily - A look behind the lens. [Research Saturday]
Episode Date: October 25, 2025Noam Moshe, Claroty’s Vulnerability Research Team Lead, joins Dave to discuss Team 82's work on "Turning Camera Surveillance on its Axis." Team82 disclosed four vulnerabilities in Axis.Remoting—de...serialization, a MiTM “pass-the-challenge” NTLMSSP flaw, and an unauthenticated fallback HTTP endpoint—that enable pre-auth remote code execution against Axis Device Manager and Axis Camera Station. They found more than 6,500 Axis.Remoting services exposed online (over half in the U.S.), letting attackers enumerate targets, install malicious Axis packages, and hijack, view, or shut down managed camera fleets.Axis published an urgent advisory, issued patches for ADM 5.32, Camera Station 5.58 and Camera Station Pro 6.9, accepted Team82’s disclosure, and organizations are urged to update. The research can be found here: Turning Camera Surveillance on its Axis Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Are you ready for AI in cybersecurity?
Demand for these skills is growing exponentially for cybersecurity professionals.
It's why Comptia, the largest vendor-neutral certification authority, is developing SEC AI Plus.
It's their first ever AI certification focused on artificial intelligence and cybersecurity
and is designed to help mid-career cybersecurity professionals demonstrate their competencies with AI tools.
And that's why N2K's SEC AI Plus practice exam is coming out this year to help you prepare for this certification release in 2026.
To find out more about this new credential and how N2K can help you prepare today,
check out our blog at Certify.Cybervista.net slash blog.
And thanks.
At Talas, they know cybersecurity can be tough and you can't protect everything.
But with Talas, you can secure what matters most.
With Talas's industry-leading platforms, you can protect critical applications, data and identity,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at talisgroup.com slash cyber.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems and protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So essentially, we looked at Axis, one of the major and leading brands in the world of
Camerasalvellians.
And the reason why we started looking for vulnerabilities in the Axis product line was
because we noticed a very common trend of banning Chinese manufactured and made product lines
and essentially leaving organizations with less options to pick from.
That's Noam Moshe, Clarity's vulnerability research team lead.
The research we're discussing today is titled Turning Camera Surveillance on its Axis.
And this very not-saturated market of video surveillance
after the world of banning most, if not all, Chinese vendors,
vendors basically left two, three, maybe four big players in the field. And because of that,
finding one critical vulnerability or vulnerability chain in one of these major vendors could
lead to devastating effects, affecting thousands of different companies. Well, for folks who might
not be familiar with Axis communications and their camera systems, where are they from?
Where are these products made? So Access is a Swedish,
company at its core, I believe. And we mainly see it in US market. Now, it's important to say that
Axis is not home user camera, meaning it's not a camera I'll set up in my home office or at my
perimeter. Instead, it is more enterprise grade, enterprise ready, essentially allowing
organizations and big organizations to have up to like a few thousands of cameras as part of
their camera fleet. So you'll see them in big companies, like medium-to-big
companies, medical and educational institutions, governments, all sorts of locations.
I see. Well, help paint a picture for us here. My understanding is there is an access
device manager and a camera station that play a critical role in managing this surveillance
infrastructure. Is my understanding correct here? And why,
Why do those components matter?
So essentially, when you have more than one camera, you need to have one centralized way
to control, manage, and consume the actual video feed of your cameras.
And because we are talking about organizations that could have like fleets of thousands
and tens of thousands of devices, they cannot control, manage, and consume the feed from
each camera directly.
And instead, Axis implemented like a centralized solution that allows them,
and allow users to control and manage
and actually see the video feed
of your entire camera fleet in one centralized location.
And this is exactly what access device manager
and access camera stations are.
These are centralized cell valves that you install
and basically through them,
you are able to modify, backup, restore, control,
configuration and actually view the camera feed
of all of your cameras in one.
location.
Well, describe for us what happened when you all went looking at their protocols here.
What did you discover?
So, in our research, we wanted to see what kind of communications and what kinds of protocols
will see in the Axis ecosystem.
And soon enough, we discovered that Axis implemented their own custom proprietary protocol
that we call Axis remoting that allows a client.
and a server to connect and communicate with one another.
Essentially, it's a closed source protocol,
meaning there's no documentation,
no open source tools, no nothing
about how this actually protocol actually looks under the hood.
It allows a client application to connect to these centralized servers
and use the functionalities they expose.
So, for example, if we're talking about Access Device Manager,
it allows the assist administrators to control,
configure, see the status of all of the cameras.
Now, while this protocol is fully encrypted, fully authenticated,
essentially giving users the impression that is fully secure and fully okay to expose it to the
internet, we discovered a few vulnerabilities that when chained together,
could allow an attacker to essentially gain pre-auth remote code execution on these centralized
servers. Now, this essentially
allows the attacker without any
prior knowledge, without credentials,
without anything, just the ability
to connect to the server.
It allows them to execute
arbitrary code and fully
control the server itself.
And thus,
gaining two things. First,
they gain pivot point and leverage
into someone's network
and organization's network that
actually deploys the access cameras.
And not only,
do they control the server, they also control the cameras themselves.
Because at the end of the day, the use case, the business logic of this server is to control
the cameras and manage them.
And because of that, once this server is compromised, you are able to move laterally and
fully control all the different cameras and all the different fleets that this server manages,
giving you access to both the networks and the cameras themselves, meaning the camera feeds,
and anything they are accessible to.
Now, you all uncovered a past-the-challenge vulnerability?
Can you explain to us what exactly that means?
Yes.
So essentially, we discovered four or five vulnerabilities.
One of them was a past-the-challeng vulnerability.
And essentially, what this vulnerability means is that it allows a user
with a man-in-the-middle setup,
essentially like an attacker that is sitting inside,
like in the middle of a client's and a server's connection,
to intervene and basically take control over the connection.
By using this man in the middle server,
you expose your own server
and essentially pass the requests from the client to the server
and the responses from the server to the client.
Now, one of the first thing that happened in this proprietary protocol
is that the client must authenticate.
And to authenticate users and make sure
there are valid users, Axis chose to use NTLM SSP or NTLM challenge response.
Essentially, it's a very common protocol in Windows-based networks, and it allows a server
to identify users as legitimate. Drawback of it is that it is susceptible to pass the challenge,
pass the request, attacks. So this means that if you achieve man in the middle between an
access client and a cell veil, you can allow the client to authenticate and pass the
authentication requirement for the cell valve, even though you are sitting in the middle and
you are able to fully inject and change and alter any response and requests whatsoever.
So that way, after the client authenticate, you are able to inject your own messages and
responses from the client and the cellvel and invoke different vulnerabilities in both
that give you remote code execution on both sides.
Essentially, allowing you to execute code on the client and on the server
just by having this man in the middle position
and passing the challenge that the server sends to the client
and the response, essentially the authentication response sent by the client.
We'll be right back.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance.
Interested U.S. citizens should consider the Department of Defense's cyber,
Service Academy Program, which covers tuition, textbooks, and a laptop, as well as providing a $34,000
additional annual stipend. Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at c.j.j.u.edu slash MSSI.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management
platform continuously monitors your systems, centralizes your data, and simplifies your security
at scale. And it fits right into your workflows, using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time. With Vanta, you get everything you
need to move faster, scale confidently, and finally get back to sleep. Get started at vanta.com
slash cyber. That's V-A-N-T-A-com slash cyber.
Now, another one of the issues that you highlight in the research is a deserialization issue.
Can you unpack that for us?
Of course.
So this is the core vulnerability, and this is the core findings that allows attackers to execute
arbitrary code on the client, the server, and because they control the server, also on the
cameras. Now, this serialization is a concept. It's a development concept where essentially you need
to take a class. First of all, this realization is the opposite of serialization, and both of them
are the process of taking a class that is represented in memory. Essentially, you have your
backend and you have this class, and you want to send it over the wire, for example. And to do
that you need to take the class and transform it into a way to actually send it over the wire
because you can't send like memory address. You need to have like a representation.
So for example, you'll take the class and represent it via textual text and that way you're
able to send these texts that actually represents the class over the wire.
Now, the process of deseralization is exactly the opposite. You take something and you construct
an in-memory class
inside your memory space
of that class. So essentially
you take a string from the network
and you construct a class from it.
Now, in DotNet, this is very
dangerous if the user is
allowed to control what type
of class is created.
Because this civilization, deseralization
are almost arbitrary
approach that allows
the creation of multiple classes.
So if, in a case,
a user is able to control what kind of classes
will be created on the server endpoint,
then they could use what's called gadgets,
which are dangerous classes,
that could be used to gain full remote code execution.
And this is exactly what happened in Axis remoting.
Essentially, this protocol relies on RPC,
and in it, the client and the server
sent to one another serialized classes over the wire
to allow them to invoke different functionalities in the other side.
And because we discovered that any side of this talk
is able to fully control what types of classes will be created on the adult side,
you are able to inject malicious classes that will lead to code execution.
So essentially, if you exploit the men in the middle, for example,
you are able to inject malicious classes to both endpoints
and cause code execution on both the client and the server.
Now, in addition to that, you all discovered
there was a fallback HTTP protocol that had anonymous access.
Am I getting that right?
Yeah, exactly.
So while we did gain full remote code execution,
we at that point at least still required man in the middle position,
essentially making the vulnerability not fully exploitable in real.
life scenario because we want full pre-auth remote code execution without needing to be
able to man in the middle connection from a legitimate client, which is, of course, less
realistic when trying to attack internet-exposed services. And because of that, we wanted to be
able to bypass the authentication requirement altogether. And to do that, we used exactly like
you've said, a fallback mechanism in the access remoting protocol that allowed
a client that is not accessible to the main server of the management server, the main port of the management server, to communicate with it on a different port.
And in that different port, there was a different protocol that still had the same vulnerabilities of the access-remoting protocol, the same deseralization vulnerability.
However, the only difference is that we found an additional vulnerability in that fallback protocol that allowed us to bypass the
authentication requirement altogether, essentially allowing us to chain these two vulnerabilities
together. We use the fallback protocol to bypass the authentication and begin speaking in access
remoting. And once we do that, we are able to send cellularized classes that are malicious
and exploit the deseralization vulnerability in the access remoting, giving us full remote
code execution that is fully pre-all, no requirements
are needed whatsoever, no prior knowledge, no nothing.
Wow. Now, help me understand here.
Once you all got remote code execution on the server,
you used the Axis SDK to move laterally and ultimately get to the cameras?
Exactly. At the end of the day, the server's main purpose is to control the cameras.
Through the server, sysadmins are able to connect, control, modify their cameras.
And because we managed to fully exploit the server, we wanted to move laterally to the cameras.
So we used legitimate functions, the legitimate functionality of Axis, to be able to implement
your own packages.
Essentially, Axis offers users and sysadmins to be able to modify their cameras behavior
by adding a package to the camera.
And through this package,
you are able to modify its behavior,
change how it reacts,
what it does, anything that you want.
To do that, Axis offers their own packages,
and they actually allow users to build their own packages
through an open source SDK.
So once we were able to exploit our vulnerability chain
to gain control over the Axis
management servers, we built our own malicious package that we infected all the cameras that
are managed by this server, essentially giving us warm-like capabilities, allowing us to move
laterally from the server to all the cameras it manages.
And once we did that, we gain two things.
First, we gain network accessibility.
At the end of the day, this gives us full control over all the devices and all the IP
cameras that this server managers. We are sitting in many different networks, many different
lands, and many different physical locations. So we are able to move laterally, we are able to
attack, do ransomware, anything that we want. However, in addition to that, because then today,
this is an IP camera, we are able to even control, consume, and abuse and confuse this, the camera
feed.
Originally, when I started the research, my main goal was to implement a James Bond or
Mr. Robot's style of attack where you are able to actually interfere with the camera
feed.
So once you control the camera, you're able to, A, access the feed, giving you full
espionage capabilities, and B, you are able to control it.
You can close a camera, you can rotate it, you can change the actual feed, and
replay an old video, whatever you want.
So it gives you full control of the cameras.
Well, how widespread do you think these vulnerabilities are?
I mean, did you get a sense for how many organizations might be affected by this?
So, once again, the main issue is that, not actually an issue,
but the main thing is that Access is one of the leading brands and leading manufacturers
of IP cameras.
And because of that, they are seen in many, many different organizations going all the way from big companies, medical health, and even government agencies.
Now, currently, we are observing around 6,500 different cellvels that are sitting worldwide with almost 4,000 specifically in the US.
However, it's important to remember that these cell valves are not standalone cell valves.
they are actually managing different cameras that could be numbered in the thousands as well.
So essentially behind every one of these levels, there could be a fleet of cameras that is up to like a few thousands or 10 of thousands of cameras.
And by exploiting these vulnerabilities and these open services online, you are able to gain initial foothold and full control over the video surveillance of all of these organizations.
Now, I know you and your colleagues responsibly disclose this to Axis.
What was their response?
So we worked with Axis in collaboration and we responsibly disclosed this vulnerability to them,
meaning once we discovered vulnerabilities, we immediately contacted them,
gave them the full technical report, and work with them to make sure that their client are protected.
And I can tell you that after doing probably over 100 different disclosures of the last four years,
Axis were one of the better ones.
They were super professional,
super prompt to action,
and their main goal was to make sure
that all of their clients
and their users are protected
and not exploited.
We work with them, and our goal,
and we had a shared goal,
was to make sure that these vulnerabilities are
patched as soon as possible.
And once we reported these vulnerabilities to them,
it took between a few weeks,
month or two to all the vulnerabilities to be fixed,
depending on the technical difficulties of implementing a patch.
So based on your research here,
what are your recommendations for organizations
who may have these kinds of cameras
or perhaps another brand as well?
And any words of wisdom here?
So the first thing I believe CIS admins and IT admins
and users in general should take
is that having fully encrypted, fully authenticated,
Protocol does not mean full security.
At the end of the day, everything has vulnerabilities in it.
The only question is how exposed it is
and how much effort and threat actor puts into breaking them
and finding vulnerabilities.
And just because a service is fully encrypted
does not mean that you immediately can expose it to the internet
and say, yeah, I mean, no one can see what's going on here.
It's encrypted and they need proper credentials
so they can't connect to it.
just by having encrypted service
does not mean it is more secure
because you are not aware
of what's going on under the hood
and what kind of vulnerabilities
could lie down deep
under the protocol.
So encryption, while it's good,
it's important, does not mean security.
Service can be
encrypted with the most up-to-date standard
but still have vulnerabilities in it.
So know what you exposed,
have good network,
hygiene, meaning know what you have in your networks, what kind of services, what kind of
attack surface you expose online, and what are the risks and how you take them into account
and manage them responsible.
Our thanks to Noam Moshe from Clarity for joining us.
on its axis. We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K CyberWire.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Rinse takes your laundry and hand delivers it to your door.
expertly cleaned and folded.
So you could take the time once spent folding and sorting and waiting
to finally pursue a whole new version of you.
Like tea time you.
Mmm.
Or this tea time you.
Or even this tea time you.
Said you hear about Dave?
Or even tea time, tea time, tea time you.
Mmm.
So update on Dave.
It's up to you.
We'll take the laundry.
Rinse. It's time to be great.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms
building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups
pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders, investors,
and researchers around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.dotribe.com.