: UPnP is a protocol that allows devices on a local network to automatically discover each other and open ports on the router to communicate with the wider internet. While convenient, UPnP frequently opens local camera feeds to the public internet without the user's explicit knowledge.
If you own Axis (or any brand of) network cameras, follow these steps to ensure you do not appear in search results:
To understand why this specific URL path exists, it helps to examine how Axis network cameras handle video streaming. inurl axis cgi mjpg motion jpeg top
Threat actors can monitor camera feeds to determine building layouts, track guard patrol schedules, or check if a property is occupied.
Beyond legal consequences, there are compelling ethical reasons to avoid accessing exposed camera feeds. Every vulnerable camera represents a failure of security practices, but exploiting that failure does not remedy it. Responsible security researchers report vulnerabilities to the affected organization or through established disclosure programs. Axis operates a bug bounty program, encouraging ethical hackers to identify and report vulnerabilities in its products. Several recent CVE disclosures, including CVE-2024-47262 and CVE-2025-9524, have been credited to members of the Axis OS Bug Bounty Program, demonstrating that responsible disclosure works. By reporting vulnerabilities rather than exploiting them for personal viewing, security researchers help protect the privacy and security of the individuals whose images appear on those camera feeds. : UPnP is a protocol that allows devices
The issue extends far beyond isolated instances of exposed cameras. In August 2025, researchers from Claroty's Team82 uncovered four severe vulnerabilities in Axis Communications' video surveillance systems, affecting Axis Device Manager (ADM) and Axis Camera Station (ACS). The vulnerabilities involve Axis's proprietary Axis.Remoting communication protocol and allow unauthenticated remote code execution on affected systems. The exploitation chain could enable attackers to hijack, view, or disable live camera feeds. As the researchers explained, "attackers can leverage these exploit chains to access the centralised Axis Device Manager server used by organisations to manage their fleets of Axis devices, as well as the Axis Camera Station, software allowing end-users to access and consume camera feeds in a centralised location."
In the United States, the Computer Fraud and Abuse Act (CFAA) is the primary federal statute governing unauthorized computer access. The CFAA prohibits seven categories of conduct involving unauthorized access to computers, including computer trespass and unauthorized access with intent to defraud. Even accessing a device that appears to have no authentication barriers can constitute "unauthorized access" under the law. The CFAA's definition of "exceeds authorized access" has been the subject of extensive litigation, with the Supreme Court holding that it applies when someone accesses information they are not entitled to obtain. Penalties can include up to 10 years of imprisonment for causing significant damage. Even if no damage is caused, accessing a protected computer without authorization remains a violation. Threat actors can monitor camera feeds to determine
Prevents the camera from automatically opening ports on the firewall.