IP Surveillance Bugs in Axis Gear Allow RCE, Data Theft

2021-10-05 21:09

Three vulnerabilities in the IP video-surveillance systems created by Axis Communications could allow arbitrary code execution, among other attacks.

That's according to Nozomi Networks Labs, whose researchers examined the company's Axis Companion Recorder, a compact network video recorder that stores IP surveillance video coming from attached cameras.

SMTP header injection allows attackers to inject additional headers with arbitrary values into emails, through which they could send copies of emails to third parties, spread malware, deliver phishing attacks, alter the content of emails, disclose information and more.

Connected camera ecosystems and other internet-of-things gear are often in the crosshairs of both vulnerability hunters and attackers.

The flaws are endemic and tend to have widespread affects: In June Nozomi researchers found that millions of connected security and home cameras contained a critical software vulnerability that can allow remote attackers to tap into video feeds.

Perhaps it's no wonder that the first half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal data, mine cryptocurrency or build botnets.

News URL

https://threatpost.com/ip-surveillance-bugs-axis-rce-data-theft/175350/

#RCE #surveillance

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Axis		833	2	28	16	13	59