Advisory
Axis advisory — stale firmware across third-party installs
A non-trivial share of Axis cameras we audit in the GTA are running firmware more than 18 months old. Combined with default credentials, this is the single most common exposure we see.
Affects
Axis publishes firmware updates on a ~quarterly cadence, addressing both functional improvements and CVE-class vulnerabilities. Their LTS programs are well documented and straightforward to follow.
What we see in inherited installs is a different story. Cameras commissioned two or more years ago, on firmware that hasn't been touched since, frequently still carry default or shared credentials. Where those cameras are also reachable from the open internet — usually via misconfigured port forwards — the exposure is direct.
The attack doesn't require novel exploitation. Published CVEs from 2023 onward are sufficient on unpatched cameras. The fix is pedestrian: firmware governance, segmentation, credential rotation.
Mitigation
What to do this week.
- 01Inventory every camera and its firmware version. VMS or Axis Device Manager will do this in minutes.
- 02Apply LTS firmware to the full fleet. Schedule recurring updates on a quarterly cadence.
- 03Rotate credentials using a password manager or vault. Eliminate default and shared passwords.
- 04Confirm cameras are on a dedicated VLAN with no direct internet exposure unless absolutely necessary.
Sources
Want us to apply this to your system?
A 30-minute remote review against this advisory, no obligation. We'll tell you on the call whether you're exposed and what the fix looks like.
Book a review