Full Report
researchers uncovered exposed Azure Storage Account credentials embedded in Axis Communications’ Autodesk Revit plugin, enabling unauthorized read/write access to cloud-hosted installers and RFA model files. When combined with multiple remote-code-execution (RCE) vulnerabiliti...
Analysis Summary
# Vulnerability: Exposed Azure Storage Credentials in Axis Autodesk Revit Plugin Leading to Supply Chain Compromise
## CVE Details
- CVE ID: Not explicitly provided in the context for the credential exposure itself, but the summary implies this leads to RCE vulnerability exploitation pathways which might have associated CVEs (mentioned as "multiple RCE vulnerabilities in Autodesk Revit").
- CVSS Score: Not provided.
- CWE: CWE-319: Cleartext Transmission of Sensitive Information (Applicable to embedded credentials).
## Affected Systems
- Products: Axis Communications Autodesk Revit Plugin
- Versions: Prior versions containing embedded Azure Storage Account credentials and SAS tokens. (Specific version numbers are not listed, but remediation implies fixed versions are available).
- Configurations: Standard installation of the vulnerable plugin component integrated with Autodesk Revit.
## Vulnerability Description
Researchers discovered hardcoded, cleartext Azure Storage Account credentials (including SAS tokens) embedded within the signed .NET DLLs of the Axis Communications Autodesk Revit plugin. These credentials provided **over-privileged read/write access** to cloud storage containers hosting official product installers (MSI) and Revit RFA model files. This flaw, when combined with known Remote Code Execution (RCE) vulnerabilities in Autodesk Revit's RFA file parsing, creates a severe supply-chain attack vector, allowing an attacker to replace legitimate files with malicious payloads.
## Exploitation
- Status: Exploitation is implied as viable and linked to existing RCE conditions ("...allowed continued exploitation until later versions were issued").
- Complexity: Low to Medium (RCE combination required, but credential exposure is static and accessible).
- Attack Vector: Network (Once credentials are known, remote modification of storage is possible) leading to Local execution (when downstream user installs/opens files).
## Impact
- Confidentiality: High (Potential access to configuration data/files in storage).
- Integrity: Critical (Ability to upload malicious installers or RFA files to legitimate distribution channels).
- Availability: Low (The primary impact is focused on integrity and confidentiality, not system denial).
## Remediation
### Patches
- Axis has remediated the credential exposure and issued **patched plugin versions**. Users are advised to update to the latest version provided by Axis/Autodesk.
- *Note: Remediation also involved subsequent credential rotation/unrotation efforts in later versions.*
### Workarounds
- Temporarily audit and monitor the integrity of any installed files originating from the Axis plugin source until the latest patched version is installed.
- If feasible, isolate the cloud storage accounts involved (if known) until full resolution.
## Detection
- Indicators of Compromise: Unauthorized modifications to cloud storage containers belonging to Axis hosting Revit assets; presence of tampered MSI installers or malicious RFA files delivered via the plugin channel.
- Detection methods and tools: Network monitoring for suspicious API calls to the exposed Azure Storage Account; File integrity monitoring on endpoints running Revit, specifically checking RFA imports or MSI installations sourced from known Axis distribution paths.
## References
- Vendor advisories: [Vendor advisory link not specified, but implied by Axis remediation]
- Relevant links - defanged: trendmicro.com/en_us/research/25/j/axis-plugin-flaw-autodesk-revit-supply-chain-risk.html