Axis Cgi: Mjpg

MJPEG is a video format where each frame is an independent JPEG image. The stream is delivered over HTTP using the multipart/x-mixed-replace content type. The server keeps the TCP connection open and continuously sends new JPEGs with a boundary delimiter.

Advantages of MJPEG:

Disadvantages:

Nevertheless, for custom integrations, the /axis-cgi/mjpg/video.cgi endpoint is often the fastest way to get pixels from an Axis camera into your application.

Axis cameras have a specific user group called "Anonymous Viewer." If this is enabled, the video.cgi script can be accessed without any login prompt. This is often used for public webcams but is frequently misconfigured on private security cameras, leading to unauthorized surveillance. axis cgi mjpg

| Issue | Impact | Mitigation | |-------|--------|-------------| | Unencrypted stream | Eavesdropping | Use HTTPS (/axis-cgi/mjpg/video.cgi over TLS) | | No frame authentication | Stream injection | Digest auth + IP whitelisting | | DoS via multiple streams | Resource exhaustion | Configure max simultaneous streams | | Information leakage | URL parameters in logs | Use POST or headers for sensitive data |

The prevalence of this specific URL structure has led to security issues on the public internet. Shodan and Censys scans frequently reveal Axis cameras where the axis-cgi directory is accessible without authentication due to: MJPEG is a video format where each frame

# Axis camera CLI configuration
Set HTTP Authentication = Digest
Set HTTPS = Required
Set Max CGI Connections = 5
Set CGI Access = Restrict to IP range

By default, Axis cameras require authentication. If the stream is accessed via a browser, the user is usually prompted for a username and password (Basic or Digest authentication).

However, in URL integration, credentials are often embedded in the request: Disadvantages:

http://user:password@192.168.1.90/axis-cgi/mjpg/video.cgi