In Axis firmware versions prior to 6.0 (released around 2015), certain *.shtml pages, including some update-related frames, did not validate the session token properly. This meant that if an attacker could guess the URL (via this dork), they could access the page without logging in—a classic vulnerability.
: Recent reports have identified significant flaws in Axis remoting protocols, with over 6,500 servers inurl indexframe shtml axis video server upd