Axis Communications 2025: Critical Camera System Vulnerabilities Threaten OT Security
Executive Summary
In December 2025, Axis Communications disclosed multiple critical vulnerabilities affecting their Camera Station Pro, Camera Station, and Device Manager products. The issues, discovered by cybersecurity researchers from Claroty Team82, include flaws such as deserialization of untrusted data, improper certificate validation, authentication bypass, and local privilege escalation. These vulnerabilities could allow an attacker to remotely execute arbitrary code, intercept communications via man-in-the-middle attacks, or bypass authentication mechanisms, significantly compromising the security posture of organizations using these systems globally. Patches are now available and users are urged to upgrade immediately.
This incident highlights a growing trend in targeting surveillance and control infrastructure, reflecting the increased attention threat actors are placing on operational technology and critical manufacturing environments. The convergence of IT and OT risks, as well as heightened regulatory expectations, make robust security controls for IoT and camera systems more critical than ever.
Why This Matters Now
These Axis vulnerabilities expose critical infrastructure surveillance systems to potential remote code execution and authentication bypass just as attackers are increasingly targeting operational technology. The urgency is amplified for organizations relying on these products, as exploitation could enable espionage, sabotage, or lateral movement within networks that support safety, business continuity, and industrial resilience.
Attack Path Analysis
An attacker exploited unauthenticated or weakly authenticated endpoints in Axis Camera Station products to gain initial access, leveraging flaws such as authentication bypass and improper certificate validation. Through deserialization vulnerabilities, attacker escalated privileges, then moved laterally between processes or services within the affected environment. Establishing command and control, the attacker could execute arbitrary code and maintain persistence. Sensitive data was potentially exfiltrated or further compromised through unencrypted protocols or inadequate egress controls. Ultimately, attackers could disrupt services, impact system integrity, or use access for broader attacks against critical infrastructure.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited authentication bypass (CVE-2025-30026) or improper certificate validation (CVE-2025-30024) to gain unauthorized access to the Axis Camera Station or Device Manager systems.
Related CVEs
CVE-2025-30023
CVSS 9A flaw in the communication protocol between client and server allows an authenticated user to perform remote code execution.
Affected Products:
Axis Communications AXIS Camera Station Pro – <6.9
Axis Communications AXIS Camera Station – <5.58
Axis Communications AXIS Device Manager – <5.32
Exploit Status:
no public exploitCVE-2025-30024
CVSS 6.8A flaw in the communication protocol between client and server could be leveraged to execute a man-in-the-middle attack.
Affected Products:
Axis Communications AXIS Device Manager – <5.32
Exploit Status:
no public exploitCVE-2025-30025
CVSS 4.8A flaw in the communication protocol between the server process and the service control could lead to local privilege escalation.
Affected Products:
Axis Communications AXIS Device Manager – <5.32
Axis Communications AXIS Camera Station Pro – <6.7
Axis Communications AXIS Camera Station – 5
Exploit Status:
no public exploitCVE-2025-30026
CVSS 5.3A flaw in the AXIS Camera Station Server allows bypassing authentication that is normally required.
Affected Products:
Axis Communications AXIS Camera Station Pro – <6.9
Axis Communications AXIS Camera Station – <5.58
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Abuse Elevation Control Mechanism
Unsecured Credentials
Valid Accounts
Modify Authentication Process
Man-in-the-Middle
Exploitation for Defense Evasion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access to System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Systems Security and Resilience
Control ID: Art. 9(2)
CISA ZTMM 2.0 – Strong Authentication and Authorization
Control ID: Pillar: Identity, Access, and Authentication
NIS2 Directive – Access Control and Secure Communication
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Security/Investigations
Critical vulnerabilities in Axis camera management systems enable remote code execution and authentication bypass, compromising physical security infrastructure and surveillance operations.
Commercial Real Estate
Camera Station vulnerabilities expose building security systems to man-in-the-middle attacks and privilege escalation, threatening tenant safety and property protection.
Critical Manufacturing
Axis surveillance system flaws identified by CISA allow attackers to bypass authentication and execute arbitrary code in manufacturing facility security infrastructure.
Government Administration
CVSS 9.0 vulnerabilities in government surveillance systems enable remote exploitation, compromising facility security and potentially exposing sensitive operational areas.
Sources
- Axis Communications Camera Station Pro, Camera Station, and Device Managerhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-352-08Verified
- CVE-2025-30023 - NVD Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-30023Verified
- CVE-2025-30024 - NVD Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-30024Verified
- CVE-2025-30025 - NVD Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-30025Verified
- CVE-2025-30026 - NVD Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-30026Verified
- Axis Communications Security Advisory for CVE-2025-30023https://www.axis.com/dam/public/9b/a5/72/cve-2025-30023pdf-en-US-485733.pdfVerified
- Axis Communications Security Advisory for CVE-2025-30024https://www.axis.com/dam/public/01/d9/24/cve-2025-30024pdf-en-US-485734.pdfVerified
- Axis Communications Security Advisory for CVE-2025-30025https://www.axis.com/dam/public/f2/28/d2/cve-2025-30025pdf-en-US-517962.pdfVerified
- Axis Communications Security Advisory for CVE-2025-30026https://www.axis.com/dam/public/a3/42/92/cve-2025-30026pdf-en-US-485735.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing network segmentation, encrypted communications, strict egress policy, and east-west traffic visibility would have detected or blocked exploitation, limited lateral movement, and constrained potential data exfiltration resulting from these vulnerabilities.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized inbound access attempts to vulnerable management interfaces.
Control: Inline IPS (Suricata)
Mitigation: Detected and/or prevented exploitation attempts targeting deserialization vulnerabilities.
Control: Zero Trust Segmentation
Mitigation: Limited movement between services to only required and authorized traffic flows.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous control connections detected and alerted for rapid response.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked or alerted on unauthorized data exfiltration attempts.
Rapid detection and response to anomalous system behavior or service degradation.
Impact at a Glance
Affected Business Functions
- Surveillance Monitoring
- Security Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential unauthorized access to surveillance footage and system controls.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce microsegmentation and least privilege access controls to prevent lateral movement between vulnerable services.
- • Deploy inline intrusion prevention and behavioral analytics to detect and block exploitation of authentication and deserialization flaws in real time.
- • Require encryption in transit, including internal service-to-service traffic, to neutralize risk of man-in-the-middle attacks and credential interception.
- • Apply strict egress policies to monitor, alert, and block unauthorized outbound traffic that could indicate exfiltration or C2 activity.
- • Maintain continuous, centralized visibility into cloud and hybrid environments for rapid detection and response to anomalous behaviors and attacks.
