It's well known that Axis cameras have no default password; you are prompted, from the web client, to create a administrator password when first used or after a reset.
But, what may not be as well known is that no password is required to access the camera thru VAPIX, as long as it's done before a root password is first set, e.g. by the web-client.
This is not a bug either:
However, if the device is first accessed using the VAPIX API (i.e. not the GUI) there is no hard requirement from the device to enter users with proper credentials. Instead, as this is the normal way a camera is plugged into a VMS, the client application is trusted to add proper users to the device to control the access as described above. VAPIX Authentication Guide
VMSes typically use VAPIX to connect. So the question is, if never accessed from the web client, do VMSes force you to set a password?
And if not, would that mean that those cameras are accessible without a password, even after being added to working system?