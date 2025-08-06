Thousands of organizations could be vulnerable to attack after researchers discovered four critical vulnerabilities in the products of Axis Communications, a leading manufacturer of CCTV cameras and surveillance equipment.

OT security firm Claroty and its research branch, Team82, shared findings at Black Hat USA, in Las Vegas, on August 6.

Flaws in Axis Proprietary Client-Server Communication Protocol

Team82 researcher, Noam Moshe, discovered the vulnerabilities which all originating from a fundamental flaw in Axis.Remoting, a proprietary communication protocol used between client applications and Axis’ servers.

Upon discovery, Team82 quickly notified Axis Communications, which publicly reported them – the manufacturer is a certified Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA).

They are tracked as follows:

CVE-2025-30023. A critical flaw (CVSS score: 9) affecting Axis Camera Station Pro before version 6.9, Axis Camera Station before version 5.58 and Axis Device Manager before version 5.32 that could lead to an authenticated user performing a remote code execution (RCE) attack

CVE-2025-30024. A medium-severity flaw (CVSS score: 6.8) affecting Axis Device Manager before version 5.32 that could be leveraged to execute a man-in-the-middle (MitM) attack

CVE-2025-30025. A medium severity flaw (CVSS score: 4.8) affecting Axis Camera Station version 5, Axis Camera Station Pro before version 6.7 and Axis Device Manager before version 5.32 that could lead to a local privilege escalation

CVE-2025-30026. A medium severity flaw (CVSS score: 5.3) affecting Axis Camera Station before version 5.58 and Axis Camera Station Pro before version 6.9 that could allow an authentication bypass attack

The manufacturer stated in its advisories that it had observed no in the exploitation in the wild of any of the four flaws.

It also released patches in the following software updates:

Axis Camera Station Pro 6.9

Axis Camera Station 5.58

Axis Device Manager 5.32

Despite public disclosure, the CVE entries still currently appear under the ‘Reserved’ status on the website of the CVE program, suggesting that more information will be made available after the Team82 session at Black Hat, which is to be held on August 6.

On the US National Vulnerability Database (NVD) website, the four vulnerabilities are registered under the status ‘Awaiting Analysis,’ which typically means that the NVD team has not yet added any enriched data around these flaws.