CVE-2025-30023: Critical RCE in Axis Camera Systems

CVE ID: CVE-2025-30023

Severity: CRITICAL | CVSS: 9.0

Sources: 2 different security sources

Let Me Explain What Happened

Sit down for a moment, because we need to talk about something important affecting Axis Communications camera systems. A critical security flaw has been discovered in the communication protocol that connects Axis camera management software to its servers. Think of it like finding out that the supposedly secure walkie-talkie system your security guards use has been broadcasting conversations that anyone nearby could not only listen to, but also use to send fake commands. An authenticated attacker—someone who has legitimate login credentials—could exploit this flaw to take complete control of your camera management system and execute their own code remotely.

A Bit More Detail

The vulnerability affects Axis Camera Station Pro, Camera Station, and Device Manager products. The problem lies in how the client software talks to the server—there's a fundamental flaw in that communication protocol. With a CVSS score of 9.0, this is about as serious as vulnerabilities get without being a perfect 10. What makes this particularly concerning is the "Changed" scope in the CVSS vector, meaning an attacker who compromises one component could potentially affect resources beyond the vulnerable component itself.

The Technical Specifics

• Attack Vector: Adjacent Network (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
• Attack Complexity: Low - Once an attacker has the necessary access, exploitation is straightforward
• Privileges Required: Low - The attacker needs to be authenticated, but doesn't need administrative privileges
• User Interaction: None required
• Scope: Changed - The vulnerability can affect resources beyond its security scope
• Impact: High confidentiality, integrity, and availability impact
• CWE Classification: CWE-502 (Deserialization of Untrusted Data)
• Affected Products: Axis Camera Station Pro, Camera Station, and Device Manager
• First Disclosed: July 11, 2025 by Axis Communications

Understanding the Root Cause

Let me break down what CWE-502 means in practical terms. Deserialization vulnerabilities occur when an application takes data that's been converted into a storage or transmission format (serialized) and converts it back into usable objects (deserialized) without properly validating that data first. Imagine receiving a package in the mail and opening it without checking who sent it or what's inside—you're trusting that the contents are safe. In this case, the Axis camera management software was accepting serialized data from clients and deserializing it without sufficient security checks. An attacker with valid credentials could craft malicious serialized data that, when processed by the server, executes arbitrary code.

The "Adjacent Network" attack vector tells us something important: the attacker needs to be on the same network segment as the vulnerable system. They can't exploit this from across the internet—they need to be on your local network or a connected network segment. However, don't let that lull you into a false sense of security. In many enterprise environments, once an attacker gains initial access through phishing or other means, they're already on an adjacent network.

The Timeline and Discovery

According to the sources I've reviewed, Axis Communications published their security advisory on July 11, 2025. CISA (Cybersecurity and Infrastructure Security Agency) picked this up and issued their own advisory on December 18, 2025, as part of their ICS (Industrial Control Systems) advisory program under reference ICSA-25-352-08. This tells us that CISA considers this vulnerability significant enough to warrant specific attention from critical infrastructure operators who use these camera systems for physical security.

Cyble's vulnerability intelligence team included this CVE in their year-end vulnerability roundup published on December 31, 2025, noting it as part of an alarming trend of vulnerabilities discovered throughout the year. They tracked 1,782 vulnerabilities in their final week of monitoring alone, making this the third-highest weekly count they'd recorded.

What You Should Do About This

Here's my guidance, presented in order of urgency:

• Right Now - Emergency Actions:
  • Identify your exposure: Determine if you're running Axis Camera Station Pro, Camera Station, or Device Manager in your environment. Check your asset inventory and talk to your facilities or physical security teams.
  • Review network segmentation: Ensure these camera management systems are properly isolated on dedicated network segments with restricted access. Remember, the attack vector is "adjacent network," so proper segmentation significantly reduces your risk.
  • Audit authentication: Review who has authenticated access to these systems. The vulnerability requires low-level authenticated access, so reducing the number of accounts with access reduces your attack surface.
  • Monitor for suspicious activity: Look for unusual authentication patterns, unexpected network connections to your camera management servers, or any signs of unauthorized code execution.
• For the Long Term - Remediation:
  • Apply vendor patches: Visit Axis Communications' security advisory at https://www.axis.com/dam/public/9b/a5/72/cve-2025-30023pdf-en-US-485733.pdf for specific patch information and affected version details. Axis has published detailed remediation guidance.
  • Implement defense in depth: Even after patching, maintain network segmentation, use strong authentication mechanisms, and consider implementing additional monitoring for these critical physical security systems.
  • Review deserialization practices: If you develop custom integrations with these systems, ensure you're following secure coding practices around deserialization of data.
  • Stay informed: Subscribe to Axis Communications security advisories and CISA ICS alerts to receive timely notification of future vulnerabilities.

Detection and Hunting Guidance

If you're a security analyst or SOC team member looking to hunt for potential exploitation attempts, here's what to look for:

• Network-level indicators: Unusual traffic patterns between clients and Axis Camera Station servers, particularly looking for abnormal serialized data payloads in the communication protocol
• Authentication anomalies: Multiple failed authentication attempts followed by successful logins, or authenticated sessions exhibiting unusual behavior patterns
• Process execution: Unexpected child processes spawned by Axis Camera Station services, particularly command shells or scripting interpreters
• File system changes: New files created in Axis Camera Station installation directories, particularly executable files or scripts
• Network connections: Outbound connections from camera management servers to unexpected destinations, which could indicate command and control activity

The Bigger Picture

This vulnerability reminds us of an important principle: physical security systems are increasingly digital, and digital systems have digital vulnerabilities. Many organizations treat their camera systems as "set it and forget it" infrastructure, but these systems require the same security attention as your servers and workstations. They're computers running software, connected to networks, and they can be compromised.

The fact that CISA issued an ICS advisory for this vulnerability underscores its significance for critical infrastructure. Camera systems aren't just about recording footage—they're integral to physical security operations, access control, and incident response. A compromised camera management system could allow an attacker to disable cameras during a physical intrusion, manipulate recorded footage, or use the camera network as a pivot point for further attacks.

MITRE ATT&CK Mapping

For those of you who map vulnerabilities to the MITRE ATT&CK framework, this vulnerability could enable several techniques:

• T1203 - Exploitation for Client Execution: The deserialization flaw allows code execution through exploitation
• T1210 - Exploitation of Remote Services: Remote code execution on the camera management server
• T1557 - Adversary-in-the-Middle: CISA's advisory mentions potential man-in-the-middle style attacks
• T1078 - Valid Accounts: The vulnerability requires authenticated access, highlighting the importance of credential security

Where I Found This Information

• National Vulnerability Database - CVE-2025-30023 (Authoritative source for CVSS scoring and technical details)
• Axis Communications Security Advisory (Vendor advisory with remediation guidance)
• CISA ICS Advisory ICSA-25-352-08 (Credibility: 10 - Government advisory for critical infrastructure)
• Cyble Vulnerability Intelligence Report (Credibility: 8 - Threat intelligence context)

Note: This is automated security intelligence based on multiple sources. Always test updates carefully before applying them everywhere, and consult with your vendor support team if you have questions about specific remediation steps for your environment.