Critical Vulnerabilities in Axis Communications Camera Station Pro and Device Manager (ICSA-25-352-08)
CISA warns of severe flaws in Axis Communications' Camera Station Pro, Camera Station, and Device Manager enabling RCE, MitM attacks, and authentication bypass. Patch immediately.
Critical Flaws in Axis Communications Video Management Software Expose Systems to Remote Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed multiple critical vulnerabilities in Axis Communications’ Camera Station Pro, Camera Station, and Device Manager products. If exploited, these flaws could allow attackers to execute arbitrary code, conduct man-in-the-middle (MitM) attacks, or bypass authentication mechanisms, posing severe risks to enterprise surveillance and IoT security environments.
Technical Details
The advisory (ICSA-25-352-08) highlights the following affected software versions:
- Camera Station Pro (versions prior to 5.30.102)
- Camera Station (versions prior to 5.30.102)
- Device Manager (versions prior to 1.10.1)
While CISA has not released full technical details or CVE identifiers in the public advisory, the vulnerabilities are classified as high-severity due to their potential impact. Exploitation could enable:
- Remote Code Execution (RCE): Attackers may gain full control over affected systems, allowing for data exfiltration, lateral movement, or deployment of malware.
- Man-in-the-Middle (MitM) Attacks: Adversaries could intercept and manipulate network traffic between cameras, management software, and backend systems.
- Authentication Bypass: Unauthorized users may gain access to sensitive video feeds, device configurations, or administrative functions without proper credentials.
Impact Analysis
Axis Communications’ products are widely deployed in critical infrastructure sectors, including government, healthcare, transportation, and industrial facilities. Successful exploitation of these vulnerabilities could lead to:
- Unauthorized surveillance of secure areas
- Disruption of security operations (e.g., tampering with camera feeds)
- Compromise of broader network infrastructure if devices are used as pivot points
- Regulatory compliance violations (e.g., GDPR, HIPAA, or NIST standards for video data protection)
Given the low attack complexity required for some of these flaws, organizations using affected versions should assume active scanning and exploitation attempts by threat actors.
Recommendations
CISA and Axis Communications urge users to immediately apply the following mitigations:
- Update to the latest patched versions:
- Camera Station Pro and Camera Station: Upgrade to v5.30.102 or later.
- Device Manager: Upgrade to v1.10.1 or later.
- Isolate vulnerable systems: Segment network traffic for surveillance devices to limit exposure to corporate or operational networks.
- Monitor for suspicious activity: Deploy intrusion detection/prevention systems (IDS/IPS) to detect anomalous traffic patterns, such as unexpected RCE attempts or MitM behavior.
- Review access controls: Ensure multi-factor authentication (MFA) is enabled for all administrative interfaces and restrict access to trusted IP ranges.
- Audit device configurations: Verify that default credentials have been changed and that unnecessary services (e.g., Telnet, FTP) are disabled.
For further details, refer to the CISA advisory (ICSA-25-352-08) and the CSAF vulnerability report.
Organizations are advised to treat this as a high-priority patching event due to the critical nature of the vulnerabilities and the potential for widespread exploitation in unpatched environments.