CRITICAL🇵🇱 Wersja polska

CVE-2025-12176

CVSS 10.0v4.0pub. 2025-10-24upd. 2025-11-10

Undocumented administrative accounts were getting created to facilitate access for applications running on board.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

🤖 AI Analysis
How it works

The firmware of BLU-IC2 and BLU-IC4 devices creates hidden administrative accounts to facilitate access for applications running on the device. These accounts are not documented or disclosed to system administrators, which means their credentials may be known to an attacker who has knowledge of their creation mechanism. The vulnerability is classified as CWE-1242 (Included Undocumented Features or Chicken Bits), indicating deliberately embedded but hidden functionality.

Impact

An attacker who knows the credentials to undocumented accounts can gain full administrative access to the device without the owner's knowledge. This can lead to device takeover, network compromise, and compromise of associated systems.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with references published at https://azure-access.com/security-advisories. Until updates are deployed, it is recommended to isolate devices from untrusted network segments and monitor unauthorized login attempts.

Who is affected

Azure-Access BLU-IC2 with firmware versions up to 1.19.5 inclusive; Azure-Access BLU-IC4 with firmware versions up to 1.19.5 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-12600CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12599CRITICAL10.0PL ✓ten sam produkt

Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12601CRITICAL10.0PL ✓ten sam produkt

Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12516CRITICAL10.0PL ✓ten sam produkt

Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4