Critical Cloud Credential Exposure in Autodesk Revit Plugin Sparks Supply Chain Alarm

Listen to this Post

Featured Image

Introduction

A recent cybersecurity investigation has uncovered a severe vulnerability in an official Autodesk® Revit® plugin developed by Axis Communications. Researchers found hardcoded Azure Storage Account credentials embedded in multiple signed DLLs, potentially allowing attackers to gain full control over the plugin’s distribution infrastructure. This incident highlights an alarming supply chain risk for Revit users and enterprise clients relying on Axis’s design tools.

Cloud Credential Exposure in Autodesk Revit Plugin

In July 2024, Trend Micro’s automated scanning flagged a suspicious signed DLL, AzureBlobRestAPI.dll, distributed via Autodesk partner AEC AB. The analysis revealed plaintext Azure Shared Access Signature (SAS) tokens and access keys embedded in the plugin code, specifically in AzureBlobRestAPI.DataTypes.Classes.Global. These credentials granted complete read and write privileges over Axis cloud accounts named “axisfiles” and “axiscontentfiles,” used to store MSI installers for the AXIS Plugin for Revit and Revit Family Architecture (RFA) model files.

The exposed credentials meant that anyone with access could download, modify, or upload malicious installers and RFA files. Considering that Revit is widely used for architecture and engineering workflows, the potential for supply chain compromise was significant. Attackers could have tampered with plugin installers or model files, potentially introducing malware into enterprise networks or public safety systems.

Inadequate Initial Fixes and Exploitation Risks

Following Trend Micro’s disclosure, Axis released version 25.3.710, attempting to obfuscate the credentials using tools like Eazfuscator. Unfortunately, researchers easily de-obfuscated these using de4dot, recovering valid access keys for additional accounts, such as “axisapphelpfiles.” Later versions, including 25.3.711, replaced hardcoded keys with less-privileged SAS tokens. However, older insecure versions remained accessible in stored plugin installers, leaving the system partially exposed.

It wasn’t until version 25.3.718 (March 2025) that Axis fully remediated the vulnerability by invalidating legacy credentials and revoking write access. Concurrently, Trend ZDI researchers discovered remote code execution (RCE) flaws in Autodesk Revit’s RFA file parser. If attackers had replaced legitimate RFA files in Axis storage using the leaked credentials, these flaws could have triggered multi-stage attacks, replacing design assets with malicious payloads. Axis has since confirmed that all vulnerabilities have been patched and no unauthorized access occurred.

This incident emphasizes the cascading dangers of hardcoded credentials in signed software, reinforcing the need for proactive supply chain security, strict credential management, and continuous monitoring of release artifacts to prevent exploitation of trusted distribution channels.

What Undercode Say: The Analytics Behind the Breach

This Axis Communications incident exposes the broader issue of software supply chain vulnerabilities, especially in the AEC (Architecture, Engineering, Construction) sector. Hardcoded cloud credentials, often seen as a convenience for developers, represent a critical security flaw because they provide persistent access to sensitive cloud storage. The potential consequences extend far beyond individual users; attackers could compromise enterprise workflows or even municipal infrastructure if malicious files propagate.

Trend Micro’s investigation demonstrates that obfuscation alone is insufficient. Tools like Eazfuscator may deter casual inspection, but dedicated reverse engineers can recover credentials within hours. The partial fixes applied in versions 25.3.710 and 25.3.711 illustrate a common corporate mistake: addressing symptoms rather than fully remediating root causes. Until legacy credentials were fully revoked in 25.3.718, the supply chain remained vulnerable, highlighting the importance of credential rotation policies and version control hygiene.

Moreover, the discovery of RCE flaws in Revit’s RFA parser raises the stakes exponentially. When combined with cloud account access, an attacker could orchestrate a multi-stage attack: first replacing trusted RFA files, then leveraging parsing vulnerabilities to execute arbitrary code in downstream user environments. This demonstrates how layered vulnerabilities in software ecosystems can amplify risks.

For enterprises relying on Revit and Axis plugins, the breach underscores several security imperatives:

Continuous Artifact Scanning – Signed DLLs and installers should be routinely scanned for hardcoded credentials and sensitive information.

Strict Access Controls – Cloud storage used for distribution must enforce least-privilege access and rotate credentials frequently.

Supply Chain Visibility – Organizations must map dependencies and verify third-party code integrity to prevent unauthorized modifications.

Rapid Vulnerability Disclosure – Early detection and transparent communication, as demonstrated by Trend Micro, can prevent large-scale exploitation.

From a strategic perspective, this incident also signals the growing importance of zero-trust approaches in software distribution. Legacy assumptions of secure plugin ecosystems no longer hold; developers must anticipate that every publicly accessible artifact can be exploited if not properly secured.

Finally, the incident highlights industry-wide lessons. Supply chain attacks are no longer hypothetical; hardcoded credentials in widely used plugins provide a direct path for malicious actors to target enterprise infrastructure. By combining automation tools, static analysis, and cloud security hygiene, organizations can proactively reduce these risks before exploitation occurs.

🔍 Fact Checker Results

✅ Axis Communications patched all reported vulnerabilities.

✅ No evidence of unauthorized access or compromise was found.
❌ Initial obfuscation efforts did not fully secure exposed credentials.

📊 Prediction

Given the rising frequency of supply chain attacks in software ecosystems, we can expect:

Increased adoption of automated artifact scanning and credential detection tools. 🛡️

More stringent security requirements for third-party plugin distribution. 🔐

Enterprises prioritizing multi-stage threat simulations to anticipate chained vulnerabilities. ⚠️

Supply chain security in the AEC sector will likely become a competitive differentiator, with vendors demonstrating proactive vulnerability management to retain client trust.

If you want, I can also turn this into a more SEO-optimized, highly shareable article for tech blogs, with engaging subheadings and embedded LSI keywords to maximize reach. Do you want me to do that next?

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon