Ddos 
Trend Micro’s Threat Research team has uncovered a serious cloud credential exposure involving Axis Communications, a leading provider of network surveillance and security devices. The issue originated from signed DLLs within a plugin for Autodesk Revit, one of the most widely used architectural design tools in the world.
The discovery began when Trend Micro’s automated detection rule for Azure Shared Access Signature (SAS) tokens flagged a suspicious file on July 8, 2024. The file, a digitally signed DLL named AzureBlobRestAPI.dll, contained hard-coded Azure credentials that granted access to Axis’s cloud storage accounts.
“The plugin’s MSI installer contained .NET DLLs that had Storage Account credentials including access keys and SAS tokens. The exposure of these credentials could allow unauthorized read and write access to three of the vendor’s storage accounts.”
The credentials belonged to two Azure storage accounts — axisfiles and axiscontentfiles — and were embedded inside the DLL’s internalSetEnvironment method. The tokens were valid, allowing researchers to fully control configuration, upload, and delete data in the accounts.
“The credentials turned out to be valid. As a result, they allowed a user to take control of the two storage accounts – from configuration to read/write access to the storage account artifacts.”
Inside the exposed storage, Trend Micro found MSI installers for the Axis Plugin for Autodesk Revit, as well as Autodesk RFA model files — used by architects and engineers to design 3D models of buildings equipped with Axis devices.
The compromised component, known as the AXIS Plugin for Autodesk Revit, is distributed to Axis customers to integrate Axis cameras, radars, and sensors into architectural designs. Because the plugin is used by professionals in construction, government, and security, the exposure carried a high-value supply-chain risk.
Trend Micro warned that the same plugin, if compromised, could be used to inject malicious MSI installers or tamper with Revit model files, reaching thousands of trusted partners and clients downstream.
“Attackers could mount a supply-chain attack by uploading crafted RFA files to the Axis storage account, achieving a mass compromise of Axis Communications customers consisting of Autodesk Revit users.”
After Trend Micro reported the issue through the Zero Day Initiative (ZDI) under ZDI-24-1181, Axis Communications took action, releasing an updated plugin (v25.3.710). However, the first fix merely obfuscated the exposed credentials instead of removing them — a step that researchers said “was far from enough.”
Subsequent updates (v25.3.711 and v25.3.718) eventually revoked the access keys and replaced them with limited-permission SAS tokens, closing the vulnerability.
Axis also confirmed that there had been no evidence of unauthorized access or compromise, and all vulnerable versions were removed from their cloud storage.
Related Posts:
- Critical Security Flaws Found in AXIS OS: Patch Your Devices Now!
- Two critical Microsoft PC Manager bugs let an attacker launch a supply-chain attack
- Critical RCE Vulnerability Discovered in Axis Video Management Software
- Autodesk Patches Critical Flaws in Popular Design Software
- 40 Zero-Day Vulnerabilities Found in Autodesk AutoCAD
Donate