A total of 6,500 Axis servers are found to have the Remoting Protocol open, with 4,000 of them located in the United States susceptible to potential exploits.

Cybersecurity researchers have identified multiple security vulnerabilities in video surveillance products from Axis Communications that could potentially lead to takeover attacks. These flaws allow for pre-authentication remote code execution on the Axis Device Manager, a server responsible for configuring and managing camera fleets, as well as on the Axis Camera Station, the client software used to view camera feeds. Claroty researcher Noam Moshe highlighted that attackers could exploit these vulnerabilities to perform granular, highly targeted attacks by scanning the internet for exposed Axis.Remoting services. The identified flaws include CVE-2025-30023, CVE-2025-30024, CVE-2025-30025, and CVE-2025-30026, with CVE-2025-30023 having a critical CVSS score of 9.0.

Successful exploitation of these vulnerabilities could enable attackers to assume an adversary-in-the-middle (AitM) position, allowing them to manipulate requests and responses between the Camera Station and its clients. This could result in system-level access to the internal network, granting control over the cameras within a specific deployment. Claroty reported discovering over 6,500 servers exposing the proprietary Axis.Remoting protocol online, with nearly 4,000 located in the U.S. Although there is currently no evidence of these issues being exploited in the wild, the potential for hijacking, viewing, or shutting down camera feeds poses significant security risks.