Axis Plugin Credential Leak Exposes Autodesk Revit Users to Supply Chain Attack
Trend Micro researchers found Azure Storage Account credentials embedded in signed DLLs of an Axis Communications plugin for Autodesk Revit, enabling potential supply-chain attacks.
Trend Micro researchers have uncovered a critical security flaw in an Axis Communications plugin for Autodesk Revit that exposed Azure Storage Account credentials, potentially enabling supply-chain attacks against the vendor's customers. The credentials, including access keys and SAS tokens, were embedded in signed DLLs distributed as part of the AXIS Plugin for Autodesk Revit, a tool used by architects and engineers to incorporate Axis product models into building designs.
The exposed credentials granted read and write access to three Azure storage accounts belonging to Axis Communications. These accounts contained MSI installers for the plugin itself, as well as Revit Family Architecture (RFA) model files for various Axis products such as security cameras and radars. An attacker with access could upload malicious RFA files to the storage accounts, which would then be distributed to unsuspecting customers.
The risk is compounded by multiple remote code execution vulnerabilities in Autodesk Revit itself, discovered by Trend Micro's Zero Day Initiative (ZDI). These vulnerabilities, tracked as ZDI-24-1181, ZDI-24-1328, ZDI-24-1329, and ZDI-25-858, can be triggered by importing a malicious RFA file. By combining the credential exposure with these RCE flaws, an attacker could achieve mass compromise of Axis customers using Autodesk Revit.
The credentials were found in a DLL named AzureBlobRestAPI.dll, signed by AEC AB, an Autodesk partner. The DLL contained cleartext Azure SAS tokens and shared access key pairs for storage accounts named "axisfiles" and "axiscontentfiles." The researchers discovered the exposure on July 8, 2024, through a VirusTotal rule designed to detect Azure SAS tokens.
Axis Communications has confirmed that there has been no unauthorized access to their cloud storage or any attacks related to these vulnerabilities. The vendor has released version 25.3.718 of the plugin, which resolves all reported vulnerabilities. Axis has also taken steps to secure the storage accounts and rotate the exposed credentials.
This incident highlights the growing risk of supply-chain attacks targeting software development and distribution pipelines. By compromising a single vendor's plugin, attackers could potentially reach thousands of downstream customers. The combination of exposed cloud credentials and known vulnerabilities in the host application creates a dangerous attack vector that organizations must guard against through rigorous security reviews of third-party components.