Critical RCE in Axis Camera Station Pro and Device Manager (CVE-2025-30023)

Summary

A flaw in the proprietary client-server protocol behind Axis Camera Station mishandles deserialization of untrusted data, letting an authenticated user on the adjacent network execute arbitrary code on the management server. Because the scope changes (S:C), a foothold on one VMS host can cascade into full compromise of confidentiality, integrity, and availability across connected systems. This is a server-tier break, not a single-camera bug, which makes it a priority for any environment running Axis recording infrastructure.

Affected products

Impact

Authenticated remote code execution on the VMS server with scope change, enabling lateral movement across the surveillance estate, tampering with recorded evidence, and disruption of live monitoring. In federal and critical-infrastructure deployments, an evidence-integrity compromise of this class can invalidate chain-of-custody and trigger incident-reporting obligations.

Remediation

Upgrade immediately to AXIS Camera Station Pro 6.9, AXIS Camera Station 5.58, or AXIS Device Manager 5.32 or later. Until patched, isolate management servers on a dedicated VLAN, restrict client access to known management workstations, and enforce least-privilege operator accounts since exploitation still requires authentication. Uniqcli Security can inventory your Axis Camera Station and Device Manager versions, stage and validate the upgrade against your recording schedule, and harden the management network so the fix lands without dropping live coverage.

Sources

• https://nvd.nist.gov/vuln/detail/CVE-2025-30023
• https://www.axis.com/dam/public/9b/a5/72/cve-2025-30023pdf-en-US-485733.pdf
• https://help.axis.com/en-us/security-advisories