For Axis device owners: audit your exposure today, lock down remote access, and keep firmware updated. And if you see your own cameras in Google results — take immediate action.
If a web server must be public, utilize a robots.txt file with Disallow: / to request that search engines do not index the directory. Conclusion
If you are still operating legacy Axis video servers, you must take immediate steps to hide them from the public eye: inurl indexframe shtml axis video serveradds 1l exclusive
Keep device firmware updated to the latest manufacturer patch level to replace legacy, vulnerable web interfaces. To help secure your network, tell me: What of Axis cameras do you operate? Are your devices currently connected via port forwarding ? Do you have a firewall or VPN deployed upstream?
: Never expose these devices directly to the internet. Instead, use a VPN to access your local network securely. For Axis device owners: audit your exposure today,
If you discover your own Axis device is publicly accessible:
: Recent research has shown that even indirectly related Axis components can introduce risk. In July 2024, cybersecurity firm Trend Micro found that a plugin for Autodesk Revit software, distributed by an Axis partner, contained hardcoded, cleartext credentials for an Azure cloud storage account. This could have allowed an attacker to upload malicious files to Axis's cloud storage, potentially leading to a "mass compromise" of Axis customers. Axis has since patched this issue in a later software version. Conclusion If you are still operating legacy Axis
Thus, a Google search for inurl:indexframe.shtml intitle:"Axis Video Server" could return hundreds of devices accessible from the public internet — if misconfigured.
: It offers an overview of all programmed events, showing which are active, what triggers them (e.g., motion or alarm inputs), and their subsequent actions.
A server that exposes its video feed often exposes other metadata, such as location data or network configurations, which can be used for more targeted cyberattacks. The Responsibility of Manufacturers and Users