CRITICAL🇵🇱 Wersja polska

CVE-2025-12285

CVSS 10.0v4.0pub. 2025-10-26upd. 2025-11-10

Missing Initial Password Change.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-521 (weak password policy) and CWE-20 (insufficient input validation) consists of the absence of a mechanism enforcing the change of factory/default password after first login. An attacker possessing knowledge of the manufacturer's default credentials can gain access to the device without any additional prerequisites, as access is possible directly over the network without special authentication. A network attack vector (AV:N) with no complexity requirements (AC:L) and no privileges required (PR:N) makes the exploit trivial to perform.

Impact

An attacker can gain full control of the device, including access to sensitive data, ability to modify configuration, and potential impact on systems connected to it. In the case of access control devices, this may result in a breach of physical security of the facility.

Mitigation & patch

Apply patches available from the manufacturer according to references (https://azure-access.com/security-advisories). Until firmware is updated, immediately manually change the device's default password to a strong, unique password and restrict network access to the devices exclusively to trusted hosts (e.g., via firewall or network segmentation).

Who is affected

Azure-Access BLU-IC2 in all firmware versions up to and including 1.19.5 and Azure-Access BLU-IC4 in all firmware versions up to and including 1.19.5.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Azure Access Blu Ic2

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic2 Firmware

    OS
    Azure-Access
    < 1.20
  • Azure Access Blu Ic4

    HW
    Azure-Access
    wszystkie wersje
  • Azure Access Blu Ic4 Firmware

    OS
    Azure-Access
    < 1.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-12600CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12599CRITICAL10.0PL ✓ten sam produkt

Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4

CVE-2025-12601CRITICAL10.0PL ✓ten sam produkt

Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4

CVE-2025-12553CRITICAL10.0PL ✓ten sam produkt

Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4

CVE-2025-12516CRITICAL10.0PL ✓ten sam produkt

Brak obsługi błędów HTTP 5xx w Azure-Access BLU-IC2 i BLU-IC4