EnterpriseCybersecurityHardware

Black Hat USA 2025 | Turning Camera Surveillance on Its Axis

Black Hat
Black HatMar 5, 2026

Why It Matters

Compromising Axis camera management gives attackers unrestricted visibility and control over corporate environments, turning surveillance assets into a powerful attack surface.

Key Takeaways

  • Axis “access remoting” protocol uses MTLS but vulnerable to deserialization
  • JSON type‑name handling enables arbitrary class creation on server
  • Exploit requires authentication; pass‑the‑hash bypasses NLMSSP challenge for access
  • Remote code execution grants control of server, client, and all cameras
  • Researchers demonstrate full camera fleet takeover via malicious packages

Summary

At Black Hat USA 2025, Noam Moshe of Claroty Team82 exposed a critical flaw in Axis Communications’ Access Remoting protocol, the encrypted channel used by enterprises to manage fleets of IP cameras remotely.

The protocol, built on MTLS and NLMSSP authentication, wraps a JSON‑based RPC layer. Moshe discovered that Axis enabled Newtonsoft.Json’s TypeNameHandling=Auto, allowing a client to dictate the .NET type instantiated on the server. By injecting a specially crafted JSON payload, an attacker can trigger arbitrary object creation, leading to remote code execution. Although the service requires valid credentials, the researcher demonstrated a pass‑the‑hash attack against the NLMSSP handshake and a man‑in‑the‑middle setup to inject the payload.

In practice Moshe generated a malicious payload with YSOSerial, obtained a reverse shell on the Access Device Manager, and then leveraged Axis’s modular SDK to push a custom package to every camera under the compromised manager, achieving code execution on the client, server, and all connected cameras. He highlighted the “type name handling auto” setting as the root cause and showed how the fallback HTTP‑like channel could be reverse‑engineered to bypass standard checks.

The vulnerability gives threat actors full control over surveillance infrastructure, exposing live feeds and enabling persistent footholds in corporate networks. Organizations that expose Access Remoting to the internet or rely on Axis’s cloud‑less remote access must urgently patch or disable the feature, and vendors need to reconsider unsafe deserialization defaults across IoT products.

Original Description

What are the consequences if an adversary compromises the surveillance cameras of thousands of leading Western organizations and companies? In a world of losing trust in Chinese-made IoT devices, there is less variety left for organizations to choose from. This is even more prevalent when it comes to video surveillance and cameras, in which multiple countries around the world have chosen to ban the use of products made by Dahua and Hikvision in government facilities. This question drove our research, leading us to discover that surveillance platforms can be double-edged swords.
We researched Axis Communications, one of the dominant vendors in the field of video surveillance and monitoring, heavily adopted by US government agencies, schools and medical facilities and even Fortune 500 companies around the world.
In our talk, we will showcase the comprehensive research we've conducted on the Axis.Remoting communication protocol, identifying critical vulnerabilities allowing attackers to gain preauth RCE on Axis platforms, giving attackers a runway into the organization's internal networks through their surveillance infrastructure. In addition, we've identified a novel method to passively exfiltrate information about each organization that uses this equipment, potentially enabling attackers to pinpoint their attack.
Noam Moshe | Vulnerability Researcher, Claroty Team82
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...