CRITICAL🇵🇱 Wersja polska

CVE-2025-12216

CVSS 10.0v4.0pub. 2025-10-25upd. 2025-11-10

Malicious / Malformed App can be Installed but not Uninstalled/may lead to unavailability.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

🤖 AI Analysis
How it works

The application management mechanism in BLU-IC2 and BLU-IC4 devices does not properly verify installed applications, allowing installation of a malicious or malformed package (CWE-1301: lack of verification of the correctness of imported data field values). After installation of such an application, the system is unable to uninstall it, which can lead to permanent unavailability of the device or its key functions.

Impact

An attacker can cause permanent installation of a malicious application on the device and cause system unavailability — both at the device level itself and in systems associated with it. High impact on confidentiality, integrity, and availability applies to both local components and external systems.

Mitigation & patch

Apply patches available from the manufacturer according to references published at https://azure-access.com/security-advisories. Until updates are deployed, it is recommended to restrict network access to BLU-IC2 and BLU-IC4 devices and monitor attempts to install unknown applications.

Who is affected

Azure-Access BLU-IC2 with firmware up to and including version 1.19.5, and Azure-Access BLU-IC4 with firmware up to and including version 1.19.5.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-12600CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12599CRITICAL10.0PL ✓ten sam produkt

Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12601CRITICAL10.0PL ✓ten sam produkt

Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12516CRITICAL10.0PL ✓ten sam produkt

Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12216 — Azure-Access — Blu-Ic2 — CRITICAL — CVSS 10.0 | CVEbaza.pl