Axis Camera Station RCE and MitM Flaws Urgently Patch and Harden

Axis Communications has issued an urgent software update cycle after security researchers disclosed multiple, high‑impact vulnerabilities in its Camera Station Pro, Camera Station, and AXIS Device Manager products—flaws that, in some cases, allow an authenticated user to achieve remote code execution, enable man‑in‑the‑middle attacks, perform authentication bypasses, or escalate local privileges. Immediate patching and aggressive network hardening are the practical imperatives for organizations that use Axis video management and device‑management software in their surveillance estates.

Background / Overview​

Axis Communications supplies video management systems and device management tools widely used in enterprise and industrial environments. The recent disclosure covers four related vulnerabilities—tracked under the identifiers CVE‑2025‑30023, CVE‑2025‑30024, CVE‑2025‑30025, and CVE‑2025‑30026—and affects multiple Axis server‑side products that integrate cameras, recorders, and fleet management.

• The most severe finding (CVE‑2025‑30023) is an authenticated remote code execution (RCE) vector in the client‑server communication protocol that impacts AXIS Camera Station Pro, AXIS Camera Station, and AXIS Device Manager on certain version ranges.
• CVE‑2025‑30024 describes a flaw enabling a man‑in‑the‑middle (MitM) attack against the client–server protocol, weakening confidentiality and integrity.
• CVE‑2025‑30025 is a local privilege escalation (LPE) issue in the server process/service control interaction.
• CVE‑2025‑30026 allows an authentication bypass on Camera Station server installations.

Axis has concurrently published fixed releases and recommends immediate upgrades to the following baselines where applicable: AXIS Camera Station Pro 6.9 or later, AXIS Camera Station 5.58 or later, and AXIS Device Manager 5.32 or later. Multiple independent research disclosures and vendor advisories corroborate the technical scope and recommended version numbers.

---

Why this matters: risk profile for security teams​

These vulnerabilities are not theoretical: they target core components of video management infrastructure that often run on central Windows servers or on management hosts with high privileges. The combination of RCE and authentication bypass conditions creates several dangerous real‑world attack chains:

• Compromise of video integrity and confidentiality. Successful exploitation can yield access to live and archived camera streams, recordings, and administrative interfaces—exposing PII and operational intelligence.
• Persistence and lateral movement. RCE on Camera Station servers or Device Manager hosts can be used to install persistent backdoors, harvest credentials stored by server applications, and pivot into adjacent systems (NVRs, analytics servers, Windows domain hosts).
• Operational denial and tampering. Attackers can alter recording settings, disable alerts, or modify retention and export settings, undermining incident response and forensic trails.
• Supply‑chain/managed services abuse. Many organizations rely on integrators and remote maintenance services; a vulnerability that enables MitM or authentication bypass can be abused via legitimate remote tunnels or by compromised third‑party hosts.

In short, these are high‑leverage flaws: exploitability depends on network reachability and, in one case, on having valid credentials—so defenders must triage based on exposure and the sensitivity of monitored environments.

---

Technical analysis​

CVE‑2025‑30023 — Authenticated remote code execution (RCE)​

• The root cause is a weakness in the client‑to‑server communication protocol handling, specifically in how serialized/deserialized data are processed by server components. Improper validation allows crafted requests from authenticated clients to trigger unintended execution paths, enabling arbitrary code execution on the server with the privileges of the video management process.
• Impact: High — RCE can lead to full system compromise of Camera Station or Device Manager hosts, including the ability to modify recordings, exfiltrate footage, and deploy persistent tooling.
• Exploit prerequisites: The attacker must hold valid credentials to the client side of the system (e.g., a Camera Station client account). This elevates the risk in environments with weak account hygiene, shared credentials, or exposed client access points.

CVE‑2025‑30024 — Man‑in‑the‑middle (MitM) weakness​

• This vulnerability stems from a protocol protection gap between client and server that allows an attacker in a privileged network position to intercept and manipulate messages undetected. The compromised integrity of the protocol can be abused to alter commands or session tokens.
• Impact: Medium — MitM enables replay, manipulation, and session hijacking; it is particularly dangerous when management traffic traverses untrusted networks or when TLS/endpoint authentication is not enforced.

CVE‑2025‑30025 — Local privilege escalation (LPE)​

• The flaw exists in the handshake/IPC path between the server process and the system service that controls it. Improper handling of deserialized data or service control inputs can be abused by a locally authenticated actor or by malware that has gained an initial foothold to escalate privileges to the service/system level.
• Impact: Medium — LPE increases the blast radius of any low‑privilege compromise on the same host (for example, an admin workstation used for VMS management).

CVE‑2025‑30026 — Authentication bypass​

• An authentication logic error allows certain client requests to be processed without proper credential verification, effectively permitting unauthorized access to some server functions.
• Impact: Medium — if exploited, attackers can perform operations normally restricted to administrators or authenticated users.

---

Verification and current status​

Independent disclosures from security researchers and vendor advisories align on the core facts: the four CVEs affect Camera Station Pro, Camera Station, and Device Manager versions prior to the fixed releases noted above. Vendors have published patches or release notes that reference resolved CVE identifiers and version milestones. Public vulnerability trackers and multiple industry outlets corroborate the CVSS‑style severity assessments and the recommended upgrade baselines.
Caveats and verification notes:

• At the time of disclosure, there were no widely reported, confirmed in‑the‑wild exploitations publicly attributed to these CVEs. However, absence of proof is not proof of absence—vulnerabilities enabling RCE or authentication bypass merit immediate mitigation even if no public exploit code exists.
• Some CVE metadata (scoring vectors or EPSS predictions) can be updated over time; organizations should validate CVSS numbers and exploitability metrics against current vendor advisories or their internal risk frameworks.
• Version mapping matters: some advisories reference slightly different minimal fixed versions for overlapping products. Confirm the exact version number that applies to your installed SKU and validate via the product UI or vendor release notes.

---

Immediate triage checklist (what to do in the next 24–72 hours)​

• Inventory and prioritize
• Identify all instances of AXIS Camera Station Pro, AXIS Camera Station, and AXIS Device Manager by hostname/IP, version, and physical location.
• Prioritize hosts exposed to untrusted networks, public IP ranges, or third‑party maintenance tunnels.
• Apply vendor fixes
• Schedule and apply the vendor‑recommended upgrades immediately for any affected host: Camera Station Pro → 6.9+, Camera Station → 5.58+, Device Manager → 5.32+.
• Validate installed versions post‑upgrade through the product UI or management console.
• Contain exposure
• Block or remove any direct Internet exposure of management ports (HTTP/HTTPS), client remote access ports, and device‑management connectors.
• If patches cannot be immediately applied, isolate the management host on a dedicated, restricted VLAN and restrict access to approved jump hosts.
• Harden access
• Enforce unique admin accounts and strong passwords; rotate any shared credentials.
• Require MFA for management jump boxes and remote admin sessions where possible.
• Disable or restrict client features that expose direct remote control if they are not necessary.
• Monitor and log
• Centralize logging for Camera Station and Device Manager servers; audit for anomalous client connections and configuration changes.
• Add IDS/IPS rules to detect suspicious protocol anomalies or unexpected client‑server messages.
• Preserve and investigate
• If suspicious activity is detected, preserve logs, configuration exports, and memory snapshots for forensic analysis.
• Scan for signs of post‑compromise persistence (new services, scheduled tasks, modified binaries).

---

Patching at scale: recommended process​

• Preparation
• Document maintenance windows and contact lists for sites that may be operationally impacted by VMS patching (parking gates, access control, critical surveillance zones).
• Export and securely store current configurations and critical recordings per retention and compliance policies.
• Pilot update
• Apply updates to a single pilot server that represents your most common deployment pattern.
• Test integration with NVRs, analytics, recording storage, and any third‑party connectors.
• Rollout
• Use device management tooling or scripted deployment for server updates in batches; stagger updates to reduce operational risk.
• Monitor for failed upgrades and keep rollback procedures ready.
• Post‑update verification
• Confirm that authentication is enforced as expected and that the client/server communication functions normally.
• Run authenticated and unauthenticated test sequences to ensure the authentication bypasses and protocol weaknesses are resolved.
• Documentation and compliance
• Record update versions, checksums, and verification steps for audit and procurement purposes.

---

Detection and hunting playbook (technical indicators)​

• Network indicators
• Unexpected inbound client access attempts from untrusted IPs to Camera Station servers.
• Repeated or anomalous client requests that resemble protocol fuzzing or malformed serialization sequences.
• New or unusually timed connections from management hosts to external/cloud endpoints that are not part of approved vendor maintenance.
• Host indicators (Windows servers)
• New local accounts created on Camera Station or Device Manager hosts outside maintenance windows.
• Unusual scheduled tasks, services, or changes to service binaries.
• Modified or new files in program directories of Camera Station, Device Manager, or NVR applications.
• Elevated process activity by the Camera Station service outside normal operation—unexpected child processes, spawned shells, or outbound C2‑style connections.
• Application indicators
• Configuration exports that contain unfamiliar user accounts or changed network parameters.
• Differences between expected and current firmware/API versions reported for managed cameras.

Hunting steps (Windows‑focused)

• Query Windows event logs and application logs for failed and successful administrative logins to the Camera Station server.
• Search for newly created services or scheduled tasks that execute unknown binaries—particularly in camera server directories.
• Pull recent process creation chains for camera management processes and look for suspicious child processes that could indicate command execution.
• Inspect outbound connections from Camera Station hosts for unexpected destinations or long‑lived TLS sessions to unknown cloud relays.

---

Operational mitigations beyond patching​

• Network segmentation: place cameras, NVRs, and VMS servers on a separate management VLAN with strict egress rules. Only allow management traffic from hardened jump hosts and audit all sessions.
• Jump hosts and MFA: force all admin access through audited jump hosts using MFA and session recording.
• Principle of least privilege: operate device manager services and Camera Station under constrained service accounts; restrict filesystem and network privileges.
• Secure remote access: where remote vendor maintenance is required, use IP whitelisting, short‑lived VPN accounts, and explicit vendor IP ranges rather than open tunnels.
• Secrets management: store administrative credentials in an enterprise secrets manager rather than local password files or shared documents.
• Software integrity: validate update packages via checksums or signatures provided by the vendor; avoid installing unsigned binaries.

---

For Windows administrators: extra safeguards​

• Harden Windows hosts that run Camera Station or Device Manager:
• Apply the latest Windows security updates and enable automatic patching where feasible.
• Use endpoint detection and response (EDR) to monitor for anomalous process behaviour and to provide rapid containment.
• Restrict interactive logons to management servers and require MFA on administrator accounts.
• Limit access to configuration exports and backups; encrypt backups at rest and restrict access to backup stores.
• Audit integration points:
• Many Video Management Systems integrate with Active Directory, file shares, or Windows‑hosted analytics. Confirm that these integrations use least privilege service accounts and rotate credentials frequently.
• Validate service account permissions—these should not be domain admin unless explicitly required and justified.

---

Procurement and long‑term vendor risk management​

This disclosure is another example of why surveillance infrastructure should be procured with security requirements baked in. When evaluating video vendors:

• Require secure‑by‑default behavior: enforce password change on first boot and disable unused services by default.
• Demand timely vulnerability disclosure and patch SLAs: vendors should publish security advisories and provide signed firmware and release notes.
• Insist on secure update mechanisms: cryptographic signing and integrity checks for firmware and packages are essential.
• Include EOL and support guarantees in contracts so your organization is not left with unpatchable devices.

---

Potential gaps, caveats, and unanswered questions​

• Exploit availability: public exploit code had not been long‑reported at the time of the coordinated disclosure. Nevertheless, the existence of RCE and authentication bypass vectors means attackers with insider access or stolen credentials could weaponize these issues rapidly.
• Model/version mapping: some vendor documents and third‑party trackers may reference slightly different minimal fixed releases for overlapping products. Confirm the exact version applicable to your build and SKU.
• Third‑party integrations: if Camera Station or Device Manager is integrated with cloud analytics or third‑party NVRs, the full impact of a compromise may extend beyond the Axis software alone. Validate and harden all integration touchpoints.

Flagging unverifiable claims

• Any claim about active exploitation in the wild should be treated cautiously unless supported by incident response telemetry from your estate or a trusted incident‑response source. Organizations should assume a high risk posture and act accordingly even in the absence of public exploit reports.

---

Final assessment and recommended next steps​

Axis’s disclosures for CVE‑2025‑30023 through CVE‑2025‑30026 represent a significant maintenance priority for any organization using Camera Station, Camera Station Pro, or AXIS Device Manager. The most serious risk (an authenticated RCE) underscores the danger of credential reuse, poor account hygiene, and exposed client access mechanisms. Combined with a MitM weakness and an authentication bypass, these findings provide multiple attack vectors that merit a multi‑layered response.
Recommended prioritized actions:

• Immediately inventory affected servers and verify installed versions.
• Apply vendor fixes (Camera Station Pro 6.9+, Camera Station 5.58+, Device Manager 5.32+) in a tested, staged manner.
• If patching is delayed, isolate management hosts, disable unnecessary network exposure, and require jump hosts + MFA for all admin activities.
• Harden Windows servers running VMS/NVR software with EDR, strict privilege controls, and regular patching.
• Implement enhanced monitoring, detection rules, and an incident‑response playbook tailored to camera/VMS compromise scenarios.
• Incorporate security requirements into procurement to avoid repeat exposure from devices lacking secure defaults or vendor support.

Axis environments are often critical to physical security operations; their integrity must be defended with the same operational rigor applied to enterprise IT systems. The combination of immediate patching, network segmentation, and strict administrative controls will materially reduce the attack surface and the likelihood that these CVEs can be exploited to cause operational disruption or data loss.

---

The urgent nature of these vulnerabilities means teams should treat them as high priority: validate versions, schedule rapid upgrades, and apply the compensating controls outlined above until every affected installation is confirmed patched and hardened.

---

Source: CISA Axis Communications Camera Station Pro, Camera Station, and Device Manager | CISA