Topics:
With the scrutiny and outright banning of Chinese audio and video surveillance equipment, it's prudent for security researchers to begin examining the attack surfaces of the options available to them.
This week at the Black Hat Briefings in Las Vegas, Team82's Noam Moshe released research on Axis Communications' proprietary Axis.Remoting communication protocol. The research led to the discovery of four vulnerabilities and an exploit chain that results in pre-authentication remote code execution on Axis Device Manager, a server used to configure and manage fleets of cameras, and the Axis Camera Station, client software used to view camera feeds.
"We noticed that more and more companies, different equipment, devices are getting banned from being heavily used. And we thought to ourselves, okay, that's probably leads to a very small option group for each company. And this is why we have big companies that are deployed in dozens and like thousands of different organizations out there in the world," Moshe said on this episode of the Nexus Podcast, recorded live at Black Hat.
"By identifying vulnerabilities in this centralized point, basically what's left for users to choose from?" Moshe said. "You are able to gain huge impact from only one vulnerability chain. And you can exploit thousands, dozens, thousands of different companies."
Using internet scans of exposed Axis.Remoting services, an attacker can enumerate vulnerable servers and clients, and carry out granular, highly targeted attacks. Team82 found more than 6500 devices with the exposed Axis.Remoting protocol, representing a large pool organizations, and tens of thousands, or hundreds of thousands, of devices ripe for exploitation.
"Usually I try and take a look at these centralized platforms that basically are supposed to manage your fleet of devices," Moshe said. "And then if you are able to exploit and take over the centralized platform, you immediately gain the keys to the kingdom and you are the owner of all the devices that it in turn manages, which is super cool, super relevant for attackers. This is how they behave and how they think."
Axis Communications has patched all each of the vulnerabilities privately disclosed by Team82: CVE-2025-30023, CVE-2025-30024, CVE-2025-30025, CVE-2025-30026.
Moshe explains how Team82 was able to decrypt traffic sent over the Axis.Remoting protocol, and using a man-in-the-middle connection were able to chain vulnerabilities and exploits in order to remotely execute code on the server and camera platforms.
"At its core, Axis uses NTLM SSP, basically an NTLM challenge-response to authenticate valid users. And yeah, the protocol is encrypted using MTLS, meaning both endpoints need to authenticate using a valid certificate. However, by setting up an MTLS man-in-the-middle, meaning a server that exposes a TLS port and creates a new TLS connection, we are able to fully decrypt the traffic. And that way we are able to view clear text, what's going on under the hood,"
The key was finding a dangerous deserialization vulnerability, Moshe said.
"Essentially in .NET, having a deserialization immediately leads to code execution," he said. "There's no need for known gadgets, stuff like that. It is immediately leading to code execution, which means you're able to execute, create arbitrary classes on the server's memory space and lead to code execution. And since the vulnerabilities are protocol level, they affect both the client and the server, meaning by having, for example, a man-in-the-middle connection, you are able to attack both endpoints, meaning you execute code on the client and on the server, which is super, super cool."
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
