CRITICAL🇵🇱 Wersja polska

CVE-2025-12001

CVSS 10.0v4.0pub. 2025-10-20upd. 2025-11-07

Lack of application manifest sanitation could lead to potential stored XSS.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

🤖 AI Analysis
How it works

An attacker can provide a maliciously crafted application manifest that is not properly validated or sanitized by the device software. As a result of improper input processing (CWE-20), the malicious script is permanently stored in the system (stored XSS, CWE-79) and is executed in the context of the victim's browser each time the infected content is displayed. The lack of user interaction required on the attacker's side and the absence of required permissions make the attack remotely exploitable and fully automated.

Impact

An attacker can execute arbitrary JavaScript code in the context of a logged-in user's session, which may lead to account takeover, theft of authentication credentials, manipulation of the device interface, and potential control over both the client-side system and network infrastructure.

Mitigation & patch

Apply patches available from the manufacturer according to references published at https://azure-access.com/security-advisories. Until an update is applied, it is recommended to restrict access to device management panels only to trusted networks and to implement network segmentation.

Who is affected

Azure-Access BLU-IC2 in versions up to and including 1.19.5 and Azure-Access BLU-IC4 in versions up to and including 1.19.5 (along with their corresponding firmware).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2025-12600CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12599CRITICAL10.0PL ✓ten sam produkt

Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12601CRITICAL10.0PL ✓ten sam produkt

Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12516CRITICAL10.0PL ✓ten sam produkt

Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4