Four vulnerabilities have been found in a popular line of video surveillance products, exposing thousands of organizations to attack, cybersecurity firm Claroty said Wednesdy..
Using internet scans of exposed Axis.Remoting services, an attacker can find vulnerable servers and clients, and carry out granular, targeted attacks,” according to Claroty. “Feeds can be hijacked, watched, and/or shut down,” the cybersecurity firm said. “Attackers can exploit these security issues to bypass authentication to the cameras and gain pre-authentication remote code execution on the devices.”
Sweden-based Axis Communications is a major player in the physical security space, known for its high-end IP cameras, access control systems and audio devices, which are used by many enterprises globally including government agencies, educational institutions and Fortune 500 companies, Claroty says.
As of publication, more than 6,500 servers exposing the protocol and its services were found on the internet, with more than half of those in the U.S., the cybersecurity firm said. Many of the organizations using Axis camera deployments also have a significant number of devices, sometimes across multiple sites, the company says.
“Each of these servers could potentially manage hundreds or thousands of individual cameras,” Claroty said. “Given current bans on Chinese technology in many corners of the world, an organization’s choice of vendors has become somewhat limited, putting more emphasis on the protection of platforms available for these deployments.”
Team 82, Claroty’s research team, was able to access both the centralized Axis Device Manager, a server used to configure and manage fleets of cameras, and the Axis Camera Station, client software used to view camera feeds, Claroty said.
Axis Communications has patched the vulnerabilities and published an advisory urging users to upgrade to current versions of Axis Device Manager, Axis Camera Station Pro and Axis Camera Station 5.
Team 82 says Axis Communications acknowledged the disclosure and released updates in a timely fashion. Axis says no known exploits exist publicly as of today and is not aware that the vulnerabilities have been exploited.
The vulnerability has been assigned a critical severity designation using an industry framework for assessing the severity of software vulnerabilities, Axis said in the advisory.
