Supply Chain Risk in Axis Autodesk Revit Plugin Due to Exposed Azure Storage Credentials and Revit RCE Vulnerabilities (Research)

Researchers found cleartext Azure Storage keys and SAS tokens embedded in Axis Communications' signed .NET DLLs for an Autodesk Revit plugin, granting over-privileged access to containers hosting installers and RFA model files; coupled with multiple RCE vulnerabilities in Revit's RFA parsing, this created a viable supply-chain attack vector allowing attackers to upload tampered installers or weaponized RFA files to compromise downstream users until Axis issued patched plugin versions and rotated credentials.