Axis Communications Camera Station Pro, Camera Station, and Device Manager (Update B)

Plan PatchCVSS 9ICS-CERT ICSA-25-352-08Dec 18, 2025

Attack path

Attack VectorAdjacent

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Axis Communications Camera Station Pro, Camera Station, and Device Manager contain three vulnerabilities (CVE-2025-30023, CVE-2025-30024, CVE-2025-30025, CVE-2025-30026) allowing arbitrary code execution, man-in-the-middle attacks, and authentication bypass. Affected versions: Camera Station Pro below 6.9, Camera Station below 5.58, Device Manager below 5.32.

What this means

What could happen

An attacker with network access could execute arbitrary code on the Camera Station management server, intercept and modify camera management traffic, or bypass authentication to gain unauthorized access to the video management system.

Who's at risk

Organizations operating Axis video management infrastructure should prioritize this. Affected are: IT/OT teams managing Axis Camera Station Pro and Camera Station (surveillance and video management systems common in utility facilities, water treatment plants, and critical infrastructure), and administrators managing Axis Device Manager for camera fleet management.

How it could be exploited

An attacker on the network could craft malicious requests to the vulnerable Camera Station or Device Manager service to trigger code execution, or position themselves to intercept unencrypted or improperly validated management communications to perform a man-in-the-middle attack and bypass authentication controls.

Prerequisites

Network access to the Camera Station Pro, Camera Station, or Device Manager service (typically TCP port 80/443 or internal network access)
For authentication bypass: ability to intercept or send requests to the management service
For code execution: exploitation of deserialization or similar code execution mechanisms may require specific payload construction

remotely exploitableauthentication bypass possiblearbitrary code execution on management serveraffects video management infrastructureCVSS 9.0 (high severity)low EPSS score (2.6%) reduces immediate threat but not patch urgency

Exploitability

Some exploitation risk — EPSS score 6.6%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

AXIS Camera Station Pro: <6.8<6.86.9+

AXIS Camera Station: All_5.xAll 5.x5.58+

AXIS Camera Station Pro: <6.9<6.96.9+

AXIS Camera Station: <5.58<5.585.58+

AXIS Device Manager: <5.32<5.325.32+

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict network access to Camera Station and Device Manager services to only authorized management workstations and control networks using firewall rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade AXIS Camera Station Pro to version 6.9 or later

HOTFIXUpgrade AXIS Camera Station to version 5.58 or later

HOTFIXUpgrade AXIS Device Manager to version 5.32 or later

Long-term hardening

0/1

HARDENINGSegment the video management network from operational technology networks to limit lateral movement if the management service is compromised

CVEs (4)

CVE-2025-30023 CVE-2025-30024 CVE-2025-30025 CVE-2025-30026

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/491a439c-a236-4dd2-b70b-a8f0eacd295e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.