Connect with us

Hi, what are you looking for?



Critical Flaws Expose 400 Axis Cameras to Remote Attacks

Roughly 400 security cameras from Axis Communications are affected by several vulnerabilities, including critical flaws that can be chained to take complete control of a device and access its video stream.

Roughly 400 security cameras from Axis Communications are affected by several vulnerabilities, including critical flaws that can be chained to take complete control of a device and access its video stream.

As part of its research into IoT devices, cybersecurity firm VDOO has uncovered a total of seven vulnerabilities in cameras made by Axis. The vendor has identified nearly 400 affected models and released patches for each of them.

According to VDOO, an attacker who knows the targeted camera’s IP address can remotely and without authentication take full control of the device. This includes accessing its video stream, freezing the video stream, controlling the direction and functions of the camera (e.g. motion detection), adding the device to a botnet, altering its software, leveraging it for lateral movement within the network, abusing it for DDoS attacks and cryptocurrency mining, and rending the camera useless.Critical vulnerabilities found in Axis cameras

There are three vulnerabilities that can be chained to remotely hack a device. These allow an attacker to bypass authentication (CVE-2018-10661), send specially crafted requests as root (CVE-2018-10662), and inject arbitrary shell commands (CVE-2018-10660).

The other flaws discovered by VDOO can be exploited by unauthenticated attackers to crash various processes or to obtain information from the memory.

Technical details and proof-of-concept (PoC) code have been made public for each of the vulnerabilities.

Axis has published an advisory containing the names of all impacted cameras and which firmware version contains patches.

This was not the first time researchers discovered vulnerabilities in cameras from Axis. Roughly one year ago, Senrio found a security hole, dubbed Devil’s Ivy, that allowed an attacker to cause a DoS condition or execute arbitrary code on Axis cameras. Since that flaw affected a third-party component, other IoT devices were affected as well.

Advertisement. Scroll to continue reading.

As part of its research into IoT products, VDOO also discovered serious vulnerabilities in Foscam cameras. Foscam also released patches, unlike last year when researchers were forced to disclose multiple flaws after the vendor failed to take action.

Related: Multiple Vulnerabilities Found in Popular IP Cameras

Related: Flaws Expose FLIR Thermal Cameras to Remote Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.