The search string inurl:axis-cgi/mjpg/video.cgi is a common Google Dork used to find live MJPEG video streams from Axis network cameras. This specific CGI path is part of the Axis VAPIX API used for video streaming. Key URL Structures
Depending on the desired output (snapshot vs. live stream), the following URL patterns are used:
Live MJPEG Stream: http://
Single JPEG Snapshot: http:// Common Search Parameters
When searching or building scripts in 2021 and beyond, developers often use specific arguments to customize the feed: Resolution: Add ?resolution=640x480 to specify dimensions.
Compression: Use &compression=25 to balance quality and bandwidth.
Text Overlay: Use &text=1&textstring=CameraName to display text on the stream.
Camera Selection: For multi-channel encoders, use &camera=. Access and Security
Authentication: Most modern Axis devices require a username and password (e.g., http://user:pass@IP/axis-cgi/mjpg/video.cgi).
Default Credentials: Historically, Axis used root as the default username and pass as the password, but newer firmware (11.8+) requires users to set a unique password during initial setup.
Ports: Streams are typically accessed via port 80 (HTTP) or 443 (HTTPS). Initial Device Access Changes - Axis Communications
A review of the search query inurl:axis-cgi/mjpg/video.cgi reveals its use as a "Google Dork" to identify publicly accessible Axis IP cameras that stream video via the VAPIX video streaming API. Overview of Axis MJPEG Streams
Purpose: The path /axis-cgi/mjpg/video.cgi is a standard VAPIX API endpoint used to retrieve Motion JPEG (MJPEG) video from Axis devices.
Functionality: Users can append arguments to the URL to specify resolution, compression, and video sources (e.g., resolution=320x240&compression=25).
Vulnerability Context: While the path itself is a legitimate developer tool, its exposure in public search engine indexes often indicates misconfigured devices that lack proper authentication or password protection. Key Security Findings (2021 & Recent)
Axis as CNA: In April 2021, Axis Communications became an authorized CVE Numbering Authority (CNA), centralizing their security advisory reporting.
2021 Vulnerabilities: Critical vulnerabilities identified in 2021, such as CVE-2021-31986 (Heap-based buffer overflow), highlighted risks for devices like the Axis Companion Recorder.
Legacy Risks: Many older devices still use MJPEG streams for backwards compatibility, often with weak or disabled RTSP authentication, making them easier targets for unauthorized viewing. Recommended Mitigation Steps
To secure Axis devices and prevent them from appearing in these search results, Axis documentation recommends:
Enforce Authentication: Ensure the Network.RTSP.AuthenticateOverHTTP parameter is active and strong passwords are set for all accounts.
Firmware Updates: Regularly apply Axis OS security patches to mitigate known CVEs.
Network Hardening: Disable unused services and use a firewall or VPN to restrict camera access to internal networks only. Video streaming - Axis developer documentation
The Danger of Unsecured Video: Why Your AXIS Camera Might Be Public When you search for "inurl:axis-cgi/mjpg/video.cgi"
, you aren't just looking at a technical string—you’re likely performing a "Google Dork" that reveals live, unsecured camera feeds. These cameras, often manufactured by AXIS Communications
, can sometimes be found indexed on the public internet due to misconfigurations or outdated firmware. What Does the Search Query Mean?
The query is a specific instruction to search engines to find websites where the URL contains the path for an AXIS camera's Motion JPEG (MJPEG) stream. Tells Google to look for specific keywords within the URL. axis-cgi/mjpg:
Refers to the common internal path AXIS cameras use to serve live video streams.
Often refers to specific vulnerabilities or "dorks" that gained popularity that year. The Security Risks of Exposed Cameras
If a camera is reachable via this URL without a password, anyone with an internet connection can view the live feed. Privacy Breaches
: Live video from homes, offices, or sensitive areas can be watched and recorded by strangers. Pre-Authentication Attacks
: In 2021 and beyond, researchers found vulnerabilities (like CVE-2021-31897
) that could allow hackers to bypass controls or even execute code on the device. Lateral Network Movement
: Once a camera is compromised, attackers may use it as a "pivot point" to access other devices on your private network. How to Secure Your AXIS Camera If you own an AXIS Communications camera
, ensure it is not part of a public "dork" list by following these steps: Security Advisories - Axis Documentation
Report: Exposed MJPG Streams via Insecure CGI Scripts (2021)
Summary: This report highlights a security concern related to the exposure of MJPG (Motion JPEG) video streams through insecure CGI (Common Gateway Interface) scripts. Specifically, the search term "inurl:axis-cgi/mjpg/motion-jpeg 2021" suggests that there are still instances of IP cameras and other devices with Axis Communications' software or similar configurations that are vulnerable to exploitation. These devices can potentially expose live video feeds to unauthorized access.
Introduction: The term "inurl" refers to a search query operator used to find specific URLs containing a particular string. The string "axis-cgi/mjpg/motion-jpeg" is indicative of a path used by certain IP cameras, particularly those made by Axis Communications, to stream video in MJPG format. This format breaks down video into individual JPEG images that can be easily transmitted over the internet. While the technology is widely used for surveillance and other applications, improper configuration or outdated firmware can lead to security vulnerabilities.
Risk Assessment: The exposure of MJPG streams via insecure CGI scripts poses significant security risks, including:
Unauthorized Access to Live Feeds: Without proper authentication or with weak credentials, live video feeds can be accessed by unauthorized individuals. This could compromise the privacy of individuals being recorded and potentially provide attackers with valuable information.
Data Breach: Continuous live feeds can be recorded and used for malicious purposes.
Device Exploitation: Exposed devices can become part of botnets or be used for further exploitation.
Technical Analysis: The specific search term suggests a focus on Axis Communications' products, which are widely used in surveillance systems. However, similar issues might arise with other IP cameras or devices that use analogous configurations for MJPG streaming.
Mitigation Strategies: To address these vulnerabilities, the following steps are recommended:
Update Firmware: Ensure that all devices are running the latest firmware versions, which often include security patches.
Use Secure Protocols: Switch from HTTP to HTTPS for encrypted communication.
Implement Authentication: Enforce strong authentication mechanisms for accessing video feeds.
Limit Exposure: Restrict access to video feeds through firewalls or by whitelisting IP addresses. inurl axis cgi mjpg motion jpeg 2021
Regular Audits: Perform regular security audits to identify and mitigate vulnerabilities.
Conclusion: The exposure of MJPG streams through insecure CGI scripts, as indicated by the search term "inurl:axis-cgi/mjpg/motion-jpeg 2021," highlights a persistent security challenge. By implementing strong security measures and staying up-to-date with the latest firmware and best practices, organizations can protect their surveillance systems from unauthorized access and potential exploitation.
Recommendations:
Future Directions: The surveillance industry should continue to evolve towards more secure by design approaches, emphasizing end-to-end encryption, secure authentication mechanisms, and regular security updates. Users must prioritize cybersecurity in the planning and maintenance of surveillance systems to protect both the integrity of the feeds and the privacy of individuals.
This query breaks down into several functional components that exploit how these devices communicate over the web:
inurl:: This operator instructs Google to only show results where the specified string appears in the website's URL.
axis-cgi/: Refers to the Common Gateway Interface (CGI) scripts used by Axis devices to process requests and manage hardware settings.
mjpg/video.cgi: The specific endpoint within the camera's firmware that initiates an MJPEG video stream.
2021: Likely a date modifier added by users to find devices indexed or active during that specific year, often used to bypass older, defunct results. The Role of MJPEG in IP Surveillance
Motion JPEG is a video compression format where each frame of video is separately compressed as a JPEG image. While newer formats like H.264 are more efficient, MJPEG remains common because it requires very little processing power and is natively supported by most web browsers. Video streaming - Axis developer documentation
I notice you’ve shared a search query that resembles a string used to find unsecured or publicly accessible network camera streams — specifically older Axis cameras using motion JPEG via mjpg CGI scripts.
I can’t provide a guide for locating or exploiting unprotected video feeds, as that could facilitate unauthorized access to private systems, violate laws (like the Computer Fraud and Abuse Act or similar regulations worldwide), and breach ethical standards.
However, I can offer two constructive alternatives:
If you’re a security researcher or system owner – Use this knowledge to audit and secure your own devices:
/axis-cgi/mjpg/video.cgi.If you need legitimate testing – Use isolated lab equipment and written authorization. Tools like ffmpeg can access password-protected streams when credentials are known.
If you’re looking for an educational overview of how search engines index IoT devices (e.g., Shodan, Censys), I’m happy to explain that in a lawful context instead.
Let me know how I can help legally.
The query "inurl:axis-cgi/mjpg/video.cgi" is a "Google Dork" primarily used to find live video streams from Axis Communications network cameras that are indexed by search engines. What the Terms Mean
inurl:: A search operator that tells Google to find pages with a specific text string in their URL.
axis-cgi/mjpg/video.cgi: This is the specific VAPIX API path used by Axis cameras to deliver a Motion JPEG (MJPEG) stream.
Motion JPEG (MJPEG): A video format where every frame is a separate, compressed JPEG image. Unlike modern formats like H.264, MJPEG does not use inter-frame compression, making it easier to edit but more bandwidth-intensive.
2021: This usually refers to the year of the indexed content, often used by researchers or hackers to find cameras that have been active or newly exposed since that time. Common Uses Video streaming - Axis developer documentation
The URL path inurl:axis-cgi/mjpg/video.cgi is a common Google Dork query used to locate live Motion JPEG (MJPG) streams from unsecured Axis Communications network cameras. While Axis cameras were among the first to offer simultaneous H.264 and MJPEG streaming, this specific CGI path remains a legacy method for direct video access. Feature Overview: Axis MJPEG Streaming (2021-2026 Context)
Modern Axis cameras continue to support Motion JPEG alongside advanced codecs like H.265 and Zipstream to ensure compatibility with various web browsers and legacy monitoring software.
VAPIX® Integration: The axis-cgi/mjpg/video.cgi path is part of the VAPIX API, allowing developers to request specific stream parameters, such as resolution, frame rate, and compression, directly via the URL.
Edge Analytics Compatibility: Streams accessed this way can often be paired with AXIS Video Motion Detection, which triggers events locally on the camera to save bandwidth.
Browser-Based Viewing: Motion JPEG is inherently supported by most web browsers without additional plugins, making it a "go-to" for simple remote viewing setups. Popular Compatible Axis Models
These professional-grade cameras support multi-streaming formats including MJPEG: AXIS M3125-LVE
: A 1080p outdoor turret camera featuring Lightfinder and AI-powered analytics. It supports MJPEG, H.264, and H.265 compression for flexible storage. AXIS P3248-LV
: A 4K Ultra HD dome camera ideal for high-detail surveillance. It includes motion-adaptive exposure and integrated IR illumination.
AXIS Q3515-LV: Designed for complex lighting, this dome camera provides high frame rates (up to 120 fps) and Forensic WDR. AXIS P3354
: A legacy but reliable indoor dome offering 720p resolution and Lightfinder technology. Security Risks and Best Practices
Publicly accessible streams via the axis-cgi path are often the result of misconfigurations. Modern security protocols on these devices include:
Signed Firmware & Secure Boot: Available on newer models like the Q6135-LE to prevent unauthorized software from running.
Axis Edge Vault: A hardware-based platform that protects the camera's ID and enables secure, encrypted communication.
Privacy Masking: Allows operators to "draw" over sensitive areas (like bank teller screens) to ensure they are never recorded or streamed.
Axis Camera URL Question - Ignition - Inductive Automation Forum
2021This is the most critical temporal anchor. Including "2021" in the search narrows results to pages indexed around that year, referencing specific firmware versions or known vulnerabilities (like CVE-2021-31987 or CVE-2021-31989 related to Axis devices). It also suggests that the camera firmware or web interface copyright date is 2021, meaning these devices are likely still unpatched.
When combined, the full query finds Google-indexed URLs like:
http://[IP_ADDRESS]/axis-cgi/mjpg/video.cgi?resolution=640x480http://[IP_ADDRESS]/axis-cgi/mjpg/video.cgi?camera=1&motion=onIntroduction
Security researchers, hobbyists, and curious users sometimes use targeted search queries to discover publicly accessible webcams and networked cameras. One query that has circulated is:
inurl:"axis cgi mjpg" "motion jpeg" 2021
This post explains what that query looks for, why people use it, the risks it highlights, and safe, ethical ways to test and mitigate exposure.
What the query means
Why people run this search
Risks and implications
Why 2021 appears in queries
Ethical and legal considerations
How organizations can check and remediate exposure
Safe ways to research camera exposure
Takeaway The query inurl:"axis cgi mjpg" "motion jpeg" 2021 targets a class of older MJPEG camera streams and highlights the broader issue of exposed networked cameras. The responsible response is to audit, secure, and update devices, and to avoid accessing streams you do not own or control.
Related search suggestions (Note: additional suggested search terms are available if you’d like them.)
The search query "inurl:axis-cgi/mjpg/video.cgi motion-jpeg 2021" is a specialized "Google Dork" used to identify publicly accessible Axis Communications IP cameras. This specific string targets the underlying CGI (Common Gateway Interface) path typically used to stream Motion JPEG (MJPG) video. Understanding the Dork Components
This search query works by breaking down the camera's URL structure into recognizable patterns:
inurl: This operator restricts results to pages with specific text in their URL.
axis-cgi/mjpg/video.cgi: This is the standard directory and filename for many Axis cameras to serve a live video stream.
motion-jpeg: This specifies the video codec where each frame is compressed as a separate JPEG image, often used for legacy or low-bandwidth streaming.
2021: This year tag is frequently used by researchers to find devices or pages indexed during that specific timeframe, helping to filter for more recent, potentially unpatched systems. Why This is a Security Concern
Using advanced search operators to find connected devices—a practice known as Google Dorking—can expose sensitive environments. Medium·bob218 How to find webcams using the Google Dorking. | by bob218
The search query inurl:axis-cgi/mjpg is a well-known "Google Dork" used to find publicly accessible Axis Communications network cameras that are streaming video via Motion JPEG (MJPEG)
. While often used by security researchers to find vulnerabilities, it also highlights the critical importance of IoT privacy.
The "Google Dork" and Your Privacy: Why Your Camera Might Be Public
In the world of cybersecurity, a "Google Dork" isn't a person—it's a specialized search query. By using operators like
, users can filter results to find specific web page structures. For owners of Axis network cameras , the string /axis-cgi/mjpg/video.cgi is the standard path for a live video stream.
If a camera is connected to the internet without proper password protection or is configured with a "public" view, Google's bots can index that live feed, making it searchable by anyone in the world. Why 2021 was a Turning Point
The inclusion of "2021" in these searches often refers to a year of heightened awareness regarding IoT (Internet of Things) vulnerabilities. As remote work spiked, many businesses and homeowners installed cameras but neglected basic security protocols, leading to a surge in indexed private feeds. How to Secure Your Axis Camera If you own an Axis device
, ensure your private life stays private by following these steps: Set Strong Passwords
: Never leave the factory default login credentials. Axis now requires users to set a password upon first login to mitigate this risk. Disable Public Access
: Check your settings to ensure that the MJPEG stream is not accessible without authentication. Use Secure Remote Access
: Instead of manual port forwarding—which exposes your camera to search engines—use tools like Axis Secure Remote Access to encrypt your connection. Keep Firmware Updated : Regularly check for updates on the Axis Support page to patch known security loopholes. Proactive Tip
: You can test your own security by searching for your IP address alongside these dorking terms. If your feed pops up, it’s time to lock down your permissions immediately. Perspective video player with Axis network camera 10 Feb 2022 —
I understand you're asking for a paper based on a search query string, but I want to be clear about what I can and cannot provide.
The string inurl axis cgi mjpg motion jpeg 2021 is a search operator (typically used in Google or Shodan) to find exposed Axis network camera web interfaces that stream Motion JPEG video via the axis-cgi/mjpg/motion.cgi path. Writing an academic or technical paper about that specific search string in the context of 2021 is possible. However, I cannot produce a paper that:
Instead, I can provide a structured outline and key discussion points for a legitimate technical paper on the broader topic of exposed video surveillance devices, using that search string as a case study from 2021. You can then expand this into a full paper.
Clicking such a link opens a browser window showing a never-ending sequence of JPEG images refreshing 15–30 times per second. There is no login prompt, no password wall. Just live video. In many cases, the camera’s overlay displays: timestamp, camera name, IP address, and occasionally the location (e.g., "Warehouse North Dock").
In 2020-2021, millions of cameras were installed for remote monitoring of empty offices, warehouses, and retail stores. IT teams, overwhelmed by transitioning staff to work-from-home, often failed to change default passwords or disable public access.
The search string inurl:axis cgi mjpg motion jpeg 2021 is a key to a door that should never have been left open. For security professionals, it’s a reminder of the persistent dangers of unauthenticated Internet of Things (IoT) devices. For camera owners, it’s a warning to audit their network surveillance gear. For everyone else, it’s a cautionary tale about how simple search queries can reveal private moments and places.
By understanding the technology behind the query — Axis cameras, CGI interfaces, MJPEG streaming — and adopting responsible security practices, we can reduce the number of exposed cameras online and build a safer, more private digital world.
If you are a camera owner, take action today: check your Axis devices for anonymous access, enable authentication, and move remote access behind a VPN. If you are a researcher, always obtain permission before probing or accessing any non-public system. Privacy and security are collective responsibilities.
This article is for educational and defensive security purposes only. Unauthorized access to any camera system is illegal and unethical.
The query string inurl:axis-cgi/mjpg/video.cgi is a specialized search engine operator, or "Google Dork," used to find publicly accessible live video streams from Axis Communications network cameras. The extension including "2021" typically refers to the year these specific vulnerabilities or configurations were heavily indexed or documented in security databases like the Google Hacking Database (GHDB) Understanding the Technical Mechanism The CGI Script : The path /axis-cgi/mjpg/video.cgi is the standard endpoint for Axis VAPIX API to request a Motion JPEG (MJPEG) stream. Motion JPEG (MJPEG)
: Unlike modern H.264 compression, MJPEG delivers a sequence of individual JPEG images. This is often used for legacy support or simpler AI processing integrations where individual frame analysis is required. Request Arguments
: Users can append arguments to the URL to customize the stream, such as: resolution=640x480 compression=25 Axis developer documentation Security and Ethical Implications Using these dorks falls under Reconnaissance
, the first phase of a cyberattack. While searching for these links is generally not illegal in many jurisdictions, accessing or interacting with the cameras without authorization can lead to severe legal consequences under laws like the Computer Fraud and Abuse Act (CFAA) in the U.S. or the Computer Misuse Act in the UK. ResearchGate Video streaming - Axis developer documentation
The blue light of the monitor bathed the cluttered basement in a cold, electronic glow. It was 3:00 AM, and Elias was deep in the "weird part of the internet" again.
He wasn't a hacker, not really. He was a digital voyeur, a "google dorker"—someone who used advanced search operators to find things that weren't meant to be public, but weren't exactly private either. He tapped his fingers rhythmically against his coffee mug, watching the search results populate.
The query was specific, a string of text that acted like a skeleton key for the forgotten corners of the web: inurl axis cgi mjpg motion jpeg 2021.
This string was legendary in the OSINT (Open Source Intelligence) community. It targeted Axis Communications cameras—high-end surveillance gear used by businesses, governments, and wealthy homeowners. The inurl operator looked for specific directory structures, axis-cgi indicated the control interface, and mjpg meant Motion JPEG, a streaming format often left unsecured.
Elias hit enter.
The results page was a mess of broken links and error pages. "404 Not Found." "403 Forbidden." Most people had wised up since the early days of Shodan and default passwords. The 2021 tag was meant to filter for newer installations, but it was mostly returning junk.
He clicked "Next Page." Nothing.
He clicked "Next Page" again.
Then, on the fifth page, buried under a pile of irrelevant PDF files, a single IP address resolved. It was just a string of numbers, no domain name. The title tag read simply: AXIS P3245-V Network Camera.
Elias sat up straighter. "Gotcha," he whispered. The search string inurl:axis-cgi/mjpg/video
He clicked the link. A grey pop-up appeared: Authentication Required.
Most of these old feeds required a username and password. The default for Axis cameras was usually root and pass, but Elias knew that trick rarely worked anymore. He tried to dismiss the box. To his surprise, the browser bypassed it entirely, loading a black page with a single, centered image container.
It was the Motion JPEG stream. It was live.
The image that flickered to life was high definition, startlingly crisp in the darkness of Elias’s basement. It showed a room. Not a parking garage or a lobby, but what looked like an office. A heavy wooden desk, leather chairs, and a wall of windows overlooking a city skyline.
Elias leaned in. The timestamp in the corner was moving. It was live.
"Looks expensive," he muttered. He took a screenshot, his standard procedure for documenting a find.
He watched for five minutes. The office was empty. The city lights twinkled in the background. It was peaceful, almost hypnotizing. He was about to close the tab—the thrill of the hunt was over, and the reward was just a boring empty office—when something happened.
The lights in the office on the screen snapped on.
Elias froze. A man walked into the frame. He was wearing a tailored suit, his back to the camera. He walked to the window, hands clasped behind his back, staring out at the city.
"Hello?" Elias said to the empty room, a reflex he couldn't stop.
The man in the suit didn't turn around. He just stood there.
Elias checked the timestamp. It was moving normally. This was real-time.
Suddenly, the man turned. He didn't look at the door, or the desk. He looked directly up at the ceiling—directly into the lens of the camera.
Elias felt a chill run down his spine. The man’s face was... wrong. It was smooth, too smooth, like a wax figure. His eyes were wide, unblinking.
The man raised a hand and pointed a finger at the camera.
On Elias’s screen, a text overlay appeared over the video feed. It wasn't a pop-up; it was part of the video stream itself. It was rendered in bright red text over the man's pointing hand.
DEVICE: AXIS P3245-V FIRMWARE: MODIFIED 2021.12.1 STATUS: SENDING
"Sending?" Elias whispered. "Sending what?"
He reached for the power strip to yank the plug on his router. He didn't like this. This wasn't a forgotten camera; it was a trap.
Before his hand could reach the switch, the video changed. The feed glitched, the man in the suit dissolving into digital artifacts, and then the feed switched.
It wasn't the office anymore.
It was Elias’s basement.
The angle was from high up, near the ceiling. He saw the back of his own head. He saw his hand hovering over the power strip. He saw his cluttered desk.
Elias spun around in his chair, looking up at the corner of the ceiling where the old smoke detector was mounted.
There was no smoke detector there anymore. In its place was a small, black, dome-shaped lens he had never noticed before. A tiny, red LED blinked rhythmically.
He turned back to the monitor. The text on the screen had changed.
CONNECTION ESTABLISHED. TARGET ACQUIRED. WELCOME TO THE NETWORK.
The browser tab closed itself. Then, his file explorer opened. Then his command prompt began typing commands on its own, faster than any human could type.
cd /users/
rm -rf /
accessing webcam...
accessing microphone...
Elias scrambled, finally yanking the power cord from the wall. The monitors went black. The hum of the computer fans died instantly. He sat in the sudden, suffocating silence of the dark basement, his chest heaving.
He stared at the black screens, waiting for his eyes to adjust.
Slowly, a faint blue light began to glow again. Not from the monitor, but from the webcam light on his laptop, which was still running on battery.
It was on.
From the laptop speakers, which he had forgotten to mute, a voice spoke. It was calm, synthesized, and sounded disturbingly like the man in the suit.
"Searching
The query inurl:axis-cgi/mjpg/video.cgi is a common search operator (often called a "Google dork") used to find publicly accessible live feeds from Axis network cameras.
While it has been used by hobbyists for "armchair traveling," it is primarily associated with discussions around privacy and cybersecurity. Context and Security Implications
Camera Identification: The URL string specifically targets the Axis Video API (VAPIX) used to request an MJPEG (Motion JPEG) stream from a camera.
Privacy Concerns: Using this search term can reveal unsecured cameras in various locations, such as private homes, offices, or public spaces. This highlights the importance of changing default passwords and disabling public access on IoT devices.
2021 Relevance: By 2021, increased awareness of IoT vulnerabilities led many manufacturers and security organizations to push for better default security settings, making these types of exposed feeds less common than in previous years. Technical Usage
For developers or authorized users, these CGI paths are intended for legitimate streaming: MJPEG Stream: http://.
Single JPEG Snapshot: http://.
Modern RTSP Stream: Most modern integrations prefer RTSP for higher efficiency, typically found at rtsp://. Video streaming | Axis developer documentation
The search query inurl:axis cgi mjpg motion jpeg 2021 is typically used to find live, unsecured video feeds from Axis Communications network cameras. These cameras utilize a specific Common Gateway Interface (CGI) path to serve Motion JPEG (M-JPEG) streams directly to a browser without requiring complex plugins.
Here is useful text regarding the technical structure and implications of this query:
Several 2021 Axis firmware versions had CGIs that were purposely left open for backward compatibility. Specifically, the mjpg/video.cgi endpoint often bypassed authentication if accessed via older HTTP 1.0 requests. Security researchers at SEC Consult and Positive Technologies identified that many Axis cameras running firmware versions 10.x and 11.x (released in 2021) defaulted to allowing M-JPEG streams without HTTP digest authentication if the request came from the local subnet—but firewalls were often misconfigured, exposing the subnet to the WAN. Data Breach: Continuous live feeds can be recorded