researchers uncovered exposed Azure Storage Account credentials embedded in Axis Communications’ Autodesk Revit plugin, enabling unauthorized read/write access to cloud-hosted installers and RFA model files. When combined with multiple remote-code-execution (RCE) vulnerabilities in Autodesk Revit’s RFA file parsing, the issue created a viable path for a supply-chain attack on downstream Revit users. Axis has since remediated the credential exposure and issued patched plugin versions.
The Axis plugin’s signed .NET DLLs contained cleartext Azure Storage keys and SAS tokens, granting over-privileged control of storage accounts hosting MSI installers, HTML assets, and Revit RFA files. An attacker with access to these credentials could upload tampered installers or weaponized RFA files to the vendor’s distribution containers, resulting in trusted-by-default malware delivery through legitimate supply channels. Even after initial fixes, obfuscated tokens and unrotated credentials in previous releases allowed continued exploitation until later versions were issued. In parallel, ZDI identified multiple RCE vulnerabilities in Autodesk Revit that allowed arbitrary code execution upon importing a malicious RFA file, enabling a full compromise scenario if paired with storage tampering.