When a video server is found via an indexframe.shtml search, it poses several threats:
Surveillance hardware is frequently installed and neglected. Unlike modern operating systems that prompt users for automated overnight updates, legacy industrial and commercial IoT hardware requires manual maintenance that often falls through the cracks of busy IT departments. 2. Lack of Inherent Security by Design
The dork can even be refined. For example, appending -inurl:org -inurl:com filters out results from those common domains, leaving only IP addresses connected directly to the internet.
Article last updated: October 2025. For an updated list of exposed devices, use Shodan's axis video server search with filters for 200 OK status. inurl indexframe shtml axis video server new
http://203.0.113.45/axis-cgi/admin/indexframe.shtml?new=1
(used in airports, banks, government buildings, hospitals). Finding one via this query means:
: Historic and some unconfigured devices can be accessed using default manufacturer administrator credentials ( root ), allowing attackers full system takeover. When a video server is found via an indexframe
Home and small business users may place their cameras directly on a public IP address or utilize UPnP (Universal Plug and Play) , which automatically opens ports on their router to make the camera globally accessible.
Many older devices were shipped with default credentials (like root/pass) or no password requirement at all for the "view" stream. If the owner doesn't set a strong password, anyone can access the feed. 2. Port Forwarding
for secure remote camera access?
Administrators can check their own public IP ranges using Google dorks or IoT search engines like Shodan and Censys. If your internal equipment appears in these search results, it indicates an immediate need to reconfigure your firewall rules.
: This specifies the exact file name and extension. The .shtml extension indicates Server Side Includes (SSI), a legacy web development technology used to dynamically insert content into web pages before sending them to the browser.